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Peter DOMINKE et al. 
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CONTROL UNIT FOR CONTROLLING 
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To Be Assigned 
To Be Assigned 



Assistant Commissioner 

for Patents 
Washington, D.C. 20231 

PRELIMINARY AMENDMENT AND 
37 C.F.R § 1.125 SUBSTITUTE SPECIFICATION STATEMENT 

SIR: 

Please amend without prejudice the above-identified application before examination, as 
set forth below. 



IN THE TITLE : 

Please amend without prejudice the title to be: 
"CONTROL UNIT FOR CONTROLLING SAFETY-CRITICAL APPLICATIONS-. 



IN THE SPECIFICATION AND ABSTRACT : 

In accordance with 37 C.F.R. § 1.121(b)(3), a Substitute Specification (including the 
Abstract, but without claims) accompanies this response. It is respectfully requested that the 
Substitute Specification (including Abstract) be entered to replace the Specification of record, 



IN THE CLAIMS : 

Without prejudice, please cancel original claims 1 to 18 and substitute claim 12, and 
please add new claims 19 to 36 as follows: 



—19. (New) A control unit for controlling a safety-critical application, the control unit 
comprising: 

a microcomputer; 

a monitoring unit including a first arrangement for measuring a quiescent current of the 
microcomputer, and including a second arrangement for applying a test data input signal, for 
processing test data output signals and for comparing a corresponding test data output signal of 
the microcomputer to a corresponding test data output signal of the monitoring unit; 

at least one quiescent current handshake line running between the first arrangement and 
the microcomputer for controlHng the measuring of the quiescent current; 

at least one test data signal transmission line running between the second arrangement and 
the microcomputer; and 

peripheral circuits. 

20. (New) The control unit of claim 19, wherein: 

the first arrangement includes an IDDQ measuring circuit, a voltage supply, an IDDQ 
measuring run control, and a control system of the monitoring unit; 

the at least one quiescent current handshake line includes two handshake lines running 
from the IDDQ measuring run control to the microcomputer; 

the first arrangement and the microcomputer are coupled by the two handshake lines and 
at least one voltage supply line running from the voltage supply to the microcomputer; and 

at least one of the at least one voltage supply line runs through the IDDQ measuring 

circuit, 

21 . (New) The control unit of claim 20, wherein the at least one voltage supply line includes two 
voltage supply lines running between the voltage source and the microcomputer, and one of the 
two voltage supply lines runs through the IDDQ measuring circuit. 

22. (New) The control unit of claim 19, wherein: 

the first arrangement includes an IDDQ measuring circuit, a voltage 
supply, an IDDQ measuring run control, and a control system of the monitoring 
unit; 
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the at least one quiescent current handshake line includes two handshake 
lines running from the IDDQ measuring run control to the microcomputer; and 

at least one voltage supply tine running from the voltage supply to the 
microcomputer, at least one of the at least one voltage supply line running through the 
IDDQ measuring circuit. 

23. (New) The control unit of claim 20, wherein the first arrangement includes an initialization 
circuit for receiving an initialization signal from the voltage source after the control unit is 
switched on, and for subsequently transmitting an enable signal to the IDDQ measuring run 
control to enable an IDDQ measurement. 

24. (New) The control unit of claim 19, wherein: 

the second arrangement includes a test data signal generator for applying 
the test data input signal to the microcomputer, a response generator for 
processing the test data input signal and for forming the corresponding test data 
output signal, a test data register for receiving the test data input signal and for 
transmitting the corresponding test data output signal, and a comparator for 
comparing the corresponding test data output signal of the microcomputer to the 
corresponding test data output signal of the monitoring unit; and 

the at least one test data transmission line runs between the test data 
register of the second arrangement and the microcomputer. 

25. (New) The control unit of claim 24, wherein the at least one test data transmission line 
includes two test data transmission lines. 

26. (New) The control unit of claim 24, wherein the second arrangement includes a trigger 
generator for determining an instant at which the corresponding test data output signal of the 
microcomputer is available at the comparator, the microcomputer being error- free. 

27. (New) The control unit of claim 24, wherein the second arrangement includes an error 
counter for counting an error if at least one of the following is satisfied: the corresponding test 
data output signal of the microcomputer is not consistent with the corresponding test data output 



signal of the monitoring unit; and the corresponding test data output signal of the microcomputer 
is available at the comparator at a different instant than one determined by the trigger generator. 

28. (New) The control unit of claim 27, wherein there is a plurality of response thresholds for 
use with the error counter, and a different reaction results by exceeding each response threshold 
of the plurality of response thresholds results. 

29. (New) The control unit of claim 25, wherein the first arrangement includes an initialization 
circuit for receiving an initialization signal from the voltage source after the control unit is 
switched on, for subsequently synchronizing the monitoring unit with the microcomputer, aad for 
then activating the test data signal generator and the error counter. 

30. (New) A method for testing a microcomputer of a control unit for controlling safety-critical 
applications, the control unit including the microcomputer, a monitoring unit, and peripheral 
circuits, the method comprising: 

measuring a quiescent current of the microcomputer, the measuring of the 
quiescent current being controlled by the monitoring unit; 

exchanging at least one handshake signal between the microcomputer and 
the monitoring unit; 

applying a test data input signal to the microcomputer; 

determining a first test data output signal; and 

comparing a second test data output signal of the microcomputer to the 
first test data output signal of the monitoring unit. 

31. (New) The method of claim 30, wherein a quiescent current measurement corresponds to an 
IDDQ measurement. 

32. (New) The method of claim 31, wherein the IDDQ measurement is performed after the 
control unit is switched on after being enabled by an enable signal. 
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33. (New) The method of claim 31, wherein the second test data output signal of the 
microcomputer is compared to the first test data output signal of the monitoring unit while the 
control unit is operating. 

34. (New) The method of claim 31, wherein a clock generator is stopped by the microcomputer 
during at least one of: the IDDQ measurement; and the comparing of the second test data output 
signal of the microcomputer with the first test data output signal of the monitoring unit. 

35. (New) The method of claim 3 1 , wherein the test data input signal of the monitoring unit is 
generated by a test data signal generator via a feedback shift register. 

36. (New) The method of claim 35, wherein the test data output signal of the monitoring unit is 
generated by a response generator using a Reed-Muller code.—. 

Remarks 

This Preliminary Amendment cancels without prejudice original claims 1 to 18 
and substitute claim 12 in the underlying PCT Application No, PCT/DEOO/00157, and adds 
without prejudice new claims 19 to 36. The new claims conform the claims to U.S. Patent and 
Trademark Office rules and do not add new matter to the application. 

In accordance with 37 C.F.R. § 1.121(b)(3), the Substitute Specification 
(including the Abstract, but without the claims) contains no new matter. The amendments 
reflected in the Substitute Specification (including Abstract) are to conform the Specification and 
Abstract to U.S. Patent and Trademark Office rules or to correct informalities. As required by 37 
C.F.R. § 1.121(b)(3)(iii) and § 1.125(b)(2), a Marked Up Version Of The Substitute Specification 
comparing the Specification of record and the Substitute Specification also accompanies this 
Preliminary Amendment. In the Marked Up Version, shading indicates added text and brackets 
indicated deleted text. Approval and entry of the Substitute Specification (including Abstract) is 
respectfully requested. 

The underlying PCT Application No. PCT/DEOO/00157 includes an International 
Search Report, dated June 14, 2000. The Search Report includes a list of documents that were 
uncovered in the underlying PCT Application. A copy of the Search Report accompanies this 
Preliminary Amendment. 
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The underlying PCX application also includes an International Preliminary 
Examination Report, dated May 16, 2001, and an annex (including Revised/Substitute Claim 12). 
An English translation of the International Preliminary Examination Report and the annex 
accompanies this Preliminary Amendment. 

Applicants assert that the subject matter of the present application is new, non- 
obvious, and useful. Prompt consideration and allowance of the application are respectfully 
requested. 



Dated: 



7 f ^m 




ichard L. Mayer 
(Reg. No. 22,490) 

One Broadway 

New York, NY 10004 

(212) 425-7200 



CUSTOMER NO. 26646 
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CONTROL UNIT FOR CONTROLLING SAFETY -CRITICAL APPLICATIONS 
FIELD OF THE INVENTION 

The present invention relates to a control unit for 
controlling safety-critical applications, having a 
microcomputer (MC) ^ a monitoring unit (check unit, CU) , and 
5 peripheral circuits (input output, 10) . Furthermore, the 
present invention relates to a method for checking a 
^^f microcomputer (MC) of a control unit for controlling 
IIJ safety-critical applications, the control unit having 

.fl microcomputer (MC) , a monitoring unit (check unit, CU) , and 

.ft) peripheral circuits (input output, 10) . 

BACKGROUND INFORMATION 
J;s In control units that control or regulate applications or 

'{U functions that are critical with regard to safety, errors of 

IAS the microcomputer (MC) or of a processor of the microcomputer 
may be detected by monitoring. Such control units having 
safety tasks are used, for example, for anti-lock braking 
systems, for traction control systems, and/or for electronic 
stability programs. The safety-critical applications 
2 0 controlled by the control unit are connected to the control 
unit via the peripheral circuits. In the case of 
single -computer control units, methods having a self -test, 
plausibility check, and watchdog may be available. 

25 For testing CMOS chips (integrated circuits, IC) at the 

manufacturer, methods and measuring devices for measuring the 
quiescent current are used. The background of the so-called 
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quiescent current test is that in a digital CMOS chip in 
purely static logic, it is believed that almost the entire 
power loss during the switching operations occurs in its 
interior. In the rest state, the current flow is restricted to 
5 tiny leakage currents as well as to currents through pullup 
resistors or pulldown resistors at the inputs and through 
external loads at the output drivers . 

It is believed that various product ion -dependent errors may 
10 lead to increased conductivity between the positive and 

negative supply voltage, and that activating such defective 
S regions (point defects) of the circuit causes the current 

^=13 consumption to increase abruptly. Such defects may be 

;y ascertained by a highly exact measurement of the current 

i'5 consumption during the test operation and a comparison to 
N;= corresponding setpoint values. As already stated, such a 

quiescent current measurement may be used in the manufacture 

of CMOS chips to sort out the defective chips after the 

manufacturing process. 

20 

The quiescent current test method, which is believed to be 
available for use in the manufacturing of computer modules for 
the control units (as referred to above) , to test the computer 
modules during their normal operation for detecting what may 
25 be the most frequent defects in the computer modules, in 
particular in the microcomputer (MC) , e.g. lock-up errors 

(stuck-at) , bridge errors (bridging) , and/or interrupt errors 

(stuck-open) . 

3 0 An available approach for increasing reliability in the case 

of control units (as referred to above) involves providing two 
MCs, which reciprocally test one another by parallel computing 
and/or plausibility checks. However, cost considerations may 
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suggest using only one MC for such control units. 



SUMMARY OF THE INVENTION 

An object of an exemplary method and/or exemplary embodiment 
5 of the present invention is to provide a control unit in which 
the reliability of the error detection is improved, and the 
detection is expanded to additional types of errors. 

In an exemplary embodiment of the present invention, the 
10 monitoring unit (CU) has a first apparatus, arrangement or 

structure for measuring the quiescent current of the 
& microcomputer (MC) , at least one handshake line for 

■iQ controlling the measurement of the quiescent current runs 

between the first apparatus, arrangement or structure of the 
©5 CU and the MC, the CU has a second apparatus, arrangement or 
iM^ structure for applying a test data input signal to the MC to 

fll process the test data input signal and compare the 

;j corresponding test data output signal of the MC to the 

corresponding test data output signal of the CU, and at least 
20 one test data signal transmission line runs between the second 

apparatus, arrangement or structure of the CU and the MC, 

In accordance with the exemplary embodiment and/or exemplary 
method of the present invention, the reliability of the error 
25 detection can be increased by using two different test methods 
that supplement one another. In this manner, it is believed 
that a significantly greater number of different error types 
of the computer modules of the MC can be detected. 

3 0 The control unit according to the exemplary embodiment of the 
present invention can also have a plurality of MCs and a 
plurality of CUs . However, the following assumes that the 
control unit has one MC and one CU. The CU of the control unit 
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according to the exemplary embodiment of the present invention 
has a first apparatus, arrangement or structure for measuring 
the quiescent current of the MC. 

5 At least one handshake line for controlling the measurement of 
the quiescent current runs between the first apparatus, 
arrangement or structure of the CU and the MC. The handshake 
line can, for example, be a bidirectional line, 

10 After the control unit is switched on, the quiescent current 
■W is measured for a set number (typically 8 to 16) of selected 

i;i commands within the framework of a test program. For example, 

J; 14 selected commands containing an internal machine cycle are 

processed for microcomputer TMS470. 

ffls 

To supplement the quiescent current measurement, the CU of the 
5t control unit according to the exemplary embodiment of the 

present invention has a second apparatus, arrangement or 
;U: Structure. At least one transmission line for test data 

2 0 signals runs between the second apparatus, arrangement or 

structure of the CU and the MC. 

The second apparatus, arrangement or structure applies a test 
data signal to the MC . The MC calculates a test data output 
25 signal, which is dependent upon the test data input signal and 
the states inside the MC. Defective states result in a changed 
test data output signal of the MC. 

In the second apparatus, arrangement or structure of the CU, 
30 the test data input signal is also processed to form a test 
data output signal that is used as a reference signal for 
checking the test data output signal of the MC. When 
calculating the test data output signal, the CU assumes an 
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error- free, functioning MC* The completed calculation may have 
a "very simple" design. 

The microcomputer does not have a double design, and the same 
5 computation is not carried out by the CU as by the MC, as is 
the case for parallel computer systems. Rather, starting from 
the input data of a predefined test function, the MC 
calculates the output data whose results are checked by the CU 
using the reference signal calculated by it. The test function 
10 used for calculating the output data may be ''very simple" in 
IS its implementation. The calculation only requires minimal 

^ computing time. However, complex tests and results from the 

application programs can also be included in this test 

Si 

ui function. 
¥5 

iH= Finally, the test data output signal of the CU is compared to 

the test data output signal of the MC. If they deviate from 
one another, or if the deviation exceeds a predetermined 

N^^ threshold value, the CU recognizes an error of the MC, The 

2 0 test result can be displayed by a display device and/or it can 

be provided that upon occurrence of an error, and the system 
may be controlled and/or regulated by the control unit to be 
switched off. 

25 According to another exemplary embodiment of the present 
invention, the first apparatus, arrangement or structure 
includes an IDDQ measuring circuit, a voltage supply, an IDDQ 
measuring run control (MAS) , and a control system of the CU, 
and that the connection between the first apparatus, 

3 0 arrangement or structure, and the MC includes two handshake 

lines that run from the IDDQ-MAS to the MC and at least one 
voltage supply line that runs from the voltage supply to the 
MC, at least one of the voltage supply lines running through 
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{or across} the IDDQ measuring circuit. In semiconductors, IDD 
designates the positive supply current. IDDQ designates the 
quiescent current. The handshake lines are, for example, 
configured as START and END handshake lines for starting and 
5 acknowledging the completion of the functional test. 

The communication between the MC and the CU for measuring the 
quiescent current is carried out via the two handshake lines. 
The quiescent current of the MC is measured by the CU via the 
10 separate voltage supply lines. 

iO As stated, the exemplary embodiment of the present invention 
relates to a control unit having a monitoring unit for 
checking the microcomputer of the control unit. A voltage 

©5 supply unit is provided for supplying voltage to the control 

unit and, as such, also to the microcomputer. The control unit 

jj*; of the CU includes an apparatus, arrangement or structure that 

yf can bring the MC into specific operating states. 



20 Furthermore, the IDDQ measuring circuit includes a measuring 
apparatus, arrangement or structure that ascertains the 
current or voltage in the voltage supply circuit of the MC, 
whereupon the determined current or the determined voltage may 
be compared in a comparison apparatus, arrangement or 

25 structure, also present in the IDDQ measuring circuit, to at 
least one predefined threshold value. 

By measuring the current or voltage, a plurality of possible 
errors in the computer can be ascertained using the IDDQ 
3 0 measurement. In this context, it is believed that what may be 
the most frequent errors in the components of the MC can be 
substantially covered using a minimum of test steps. Such 
errors can be lock-up errors (stuck-at) , bridge errors 

SUBSTITUTE SPECIFICATION 6 



(bridging) , and/or interrupt errors (stuck-open) . 

As a result of the combination of the quiescent current 
TTieasurement and another suitable checking method^ in 
5 particular including a check of the functionality of the MC 

based on test data records ^ it is believed that errors may be 
widely covered with respect to the significant errors in 
computer modules, in particular in CMOS processors, in a way 
that may be particularly advantageous for safety-critical 
10 applications, 

D9 The abovementioned elimination of the second processor is 

largely retained so as to provide an economic advantage of the 
^^l control unit according to the exemplary embodiment of the 

Ms present invention, since the quiescent current measurement 
iU: according to the exemplary embodiment of the present invention 

'^1 may only require a minimal hardware expenditure. 

U By specially controlling the MC, the IDDQ-MAS brings 

20 predetermined components of the MC into a low-current state. 
The background of this control involves the fact that 
components present in the MC may require a relatively high 
current. Since, as stated at the outset, the quiescent current 
measurement may be based on fluctuations in the quiescent 
25 current within relatively small bandwidths, the high current 
consumption of the MC components interfere with the IDDQ 
measurement. In particular, the components to which the IDDQ 
measurement does not apply are brought into a low-current 
state. Such components can be the MC output stage and/or an 
3 0 input stage (e.g. analog/digital converter), as well as 
circuits for internally multiplying the clock pulse. 



In the simplest case, the components having high current 
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consumption are switched off during the test. Thus, internal 
circuit elements and circuit outputs that carry high currents 
are switched off. Subsequently, the quiescent current can be 
measured. 

5 

In addition to switching off the components of the MC having 
high current as mentioned above, the core of the MC may be 
brought into a state of low current consumption. In the case 
of such MC modules configured specifically for the quiescent 
10 current measurement, a special operating state, a so-called 
0 IDDQ test mode, may be provided. In this operating state, all 

m currents inside of the computer are switched off, i.e., the 

% current in the MC core is minimized. 

ggS The IDDQ design is such that standard errors in the MC core 

J. become noticeable as an increase in the quiescent current. 

y Thus, for example, short-circuit errors and/or stuck-at errors 

(short circuit to ground or the supply voltage) are 
y'. "immediately" or quickly manifested in an increase in the 

2 0 quiescent current. In this context, it is not believed to be 

necessary to pass on (to propagate) the effect of such an 
error to the outputs of the MC. The increased current 
consumption is the immediate error indicator. 

25 In addition to the IDDQ test mode described above, it can be 

provided that only the MC components having a high current are 
switched off, and, in response to a command, the MC enters a 
defined low-current state. In this context, the MC core does 
not have to be specially configured for the IDDQ test mode. 

3 0 This is called the power-down mode. 



The power-down mode is initiated by loading internal 
components of the computer, such as the register and memory, 
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with certain patterns, and by bringing the abovementioned 
computer components into a state of low current consumption, 
e.g., by executing a certain computer command. If this state 
is achieved, a clock generator can be selectively switched off 
5 or disconnected. Subsequently, the quiescent current or a 
corresponding voltage value is measured and compared to a 
threshold value corresponding to the above- set operating state 
(power-down state) of the MC core . If certain errors are 
present in the computer (stuck-at errors, bridging errors, 
10 stuck-open errors) , the result may be an increase in the 
quiescent current or in the voltage drop caused by the 
quiescent current. 

.';'J After such a test step, additional test steps can follow in 

Cl5 that the power- down mode is first exited by applying certain 

y. signal levels to specific connections of the MC . By again 

Su- starting or switching on the clock generator, the internal 

Py- computer components, such as the register and the memory, are 

U loaded with additional patterns, and the abovementioned 

2 0 components are again brought into a low- current state, e.g., 

by executing a specific computer command (power -down command) , 
The above-described measurement of the quiescent current then 
follows. As a result of a plurality of such consecutively 
performed measurements of the power-down current, errors in 
25 the registers, memories, and components of the computer core 
may be ascertained in an increasingly more complete manner. 

According to the exemplary computer and exemplary circuit, the 
individual test steps are ended by re-enabling the clock 

3 0 generator, by triggering a reset, or by triggering an external 

interrupt. After the last test step, the MC runs again in its 
normal operating mode (normal operation) . 
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In addition to the above -described quiescent current 
measurement in the power-down mode, provision is also made in 
accordance with the exemplary embodiment of the present 
invention for the quiescent current to be measured in the 
5 indicated IDDQ test mode (provided the computer to be checked 
is suitably configured) . The start of the IDDQ test mode is 
initiated by changing the signal level at a connection of the 
MC, for example. Also in this context, the register and memory 
are loaded with certain patterns prior to entering the IDDQ 
10 test mode. 

© Upon entering the IDDQ test mode, the computer components 

having high current consumption are switched off. Furthermore, 
by discontinuing or decoupling the time pulse while executing 
Sis a command, the computer core can be kept in a state '"typical" 

for this command. These commands are selected so that they 
JJ'J adjust the states of the internal circuit nodes of the 

';V computer core so that as many errors as possible or at least 

lU more errors can be detected via the quiescent current 

2 0 measurement . 

The handshake for the quiescent current measurement is carried 
out or performed in a number of steps: 

25 SI: The MC sets the START signal to HIGH. Consequently, the 
CU knows that an IDDQ measurement is beginning. 
S2 : The MC can selectively prepare to stop the time pulse 
(master clock, MCLK) , in that it sets a signal PREP to 
LOW via an internal command. 

30 S3: The MC decodes the precisely defined instant within the 
next suitable command for the IDDQ test and also sets a 
signal DEKOD to LOW. Now the MCLK is set equal to LOW, 
and the digital component of the MC is set to static 
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operation for the IDDQ measurement. 
S4 : The CU performs the IDDQ measurement . 

S5 : The CU outputs the level sequence LOW-HIGH-LOW at the 
signal END, thereby reactivating the MCLK. 
5 S6 : The MC becomes active again and confirms the end of the 
measurement by setting the START signal to LOW. The MC 
continues the program and prepares the next IDDQ 
measurement or ends the IDDQ measurement when all 
measurements have been carried out. 

10 

yj Two voltage supply lines may run between the voltage supply 
and the MC, one voltage supply line running through the IDDQ 
measuring circuit. The quiescent current of the MC is measured 

iyij via the voltage supply line that runs through the IDDQ 

J'5 measuring circuit . 

ni According to another exemplary embodiment of the control unit 

Q according to the present invention, the first apparatus, 

' arrangement or structure includes an IDDQ measuring circuit, a 
20 voltage supply, an IDDQ measuring run control (MAS) , and a 

control system of the CU, and the connection between the first 
apparatus, arrangement or structure and the MC includes four 
handshake lines that run from the IDDQ-MAS to the MC and at 
least one voltage supply line that runs from the voltage 

2 5 supply to the MC, at least one of the voltage supply lines 

running through the IDDQ measuring circuit. 

In the case of four handshake lines, a time-pulse (CLK) line 
and a line for a power -down (PWRDN) control can be provided 

3 0 for the MC in addition to the lines START, END in the case of 

two handshake lines. In this exemplary embodiment of the 
control unit, a shared voltage supply line to the processor is 
sufficient, the quiescent current being measured in the 
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voltage supply line. The clock generator is then stopped in 
the CU. The control of voltage supply circuits for analog 
circuits and 10 circuits in the MC is carried out or performed 
via the PWRDN line from the CU. As such, only the quiescent 
5 current of the digital component of the MC flows in the 
measuring case through the shared voltage supply line. 

Advantageously, the first apparatus, arrangement or structure 
includes an initialization circuit, which receives an 
10 initialization signal from the voltage supply after the 
M control unit is switched on and subsequently transmits an 

Q enable signal to the IDDQ-MAS to enable the IDDQ measurement. 

The successful completion of the IDDQ measurement is signaled 
by an additional signal to the control system of the CU, 
jJ^S Consequently, the CU advances the test run in that the 
'y^ initialization circuit enables the test data signal generator 

2;f via an additional signal. 



According to another exemplary embodiment of the present 
20 invention, the second apparatus, arrangement or structure 

includes a test data signal generator for applying a test data 
input signal to the MC, a response generator for processing 
the test data input signal and for forming a corresponding 
test data output signal, a test data register for transmitting 
25 and receiving test data, and a comparator for comparing the 
test data output signal of the MC to the test data output 
signal of the CU. The connection between the second apparatus, 
arrangement or structure and the MC includes at least one test 
data transmission line, which runs between the test data 
3 0 register and the MC. Advantageously, two test data 

transmission lines may run between the test data register and 
the MC. 
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The test data signal generator is also activated by the 
initialization circuit after the control unit is enabled. In 
the test data signal generator, the test data for the MC are 
generated in a virtually random order by a feedback shift 
5 register. With the aid of the Reed-Muller codes, the bit 
string for the test data output signal (the so-called 
reference signal) is formed in the response generator, for 
every test data input signal. This code is used to maintain a 
distance that is as great as possible in the space of numbers 
10 of the test data output signals (hamming distance) . In the 
Q comparator, the theoretically calculated test data output 
.^S signal from the response generator of the CU is then compared 

to the actual test data output signal of the MC from the test 
data register. 

Sjs 

The second apparatus, arrangement or structure may also 
O include a trigger generator, which determines the instant at 

fli which the test data output signal of the MC is available at 

the comparator, in the case of an error-free MC. The trigger 

2 0 generator stipulates the instant of the comparison of the 

determined test data output signal of the MC and the actual 
response of the CU. As a result, it is at least better ensured 
that the time slices in the MC proceed correctly. The 
comparator not only checks the test data output signal for the 
25 correct data value but also to determine whether the test data 
output signal is transmitted within a specific timing window. 

Advantageously, the second apparatus, arrangement or structure 
includes an error counter, which counts up or down, if the 

3 0 test data output signal of the MC is not consistent with the 

test data output signal of the CU, and/or if the test data 
output signal of the MC is available at the comparator at an 
instant that differs from the one determined by the trigger 
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generator. By a counting pulse, the comparator causes the 
error counter to count up or down. If the value and instant of 
the test data output signal are correct, the error counter is 
decremented, for example. If the error counter falls below a 
5 predefined value, an external warning light, for example, is 
switched on or off via a signal interface, and a relay for 
manipulating the safety-critical application is enabled. 

The manipulation of the application to be controlled may be 
10 limited to discontinuing the application. In the case of 

special applications, it can, however, be useful for the error 
Jj; counter to have a plurality of response thresholds, exceeding 

the response threshold resulting in a different reaction in 
yj each case. As a result, the application can be prevented from 

l5 being immediately interrupted in the case of a singular 
J"^^ disturbance, and the disabling path can be checked by the 

py computer. 

If the MC responds to a test data input signal at the wrong 
2 0 instant or with an incorrect value, the same test data input 
signal is applied to the MC again until the instant and value 
of the test data output signal are correct. If this does not 
occur with a predefined time period, the CU switches off the 
control unit or the application, and it cannot be re-activated 
25 even by correct responses. 

The second apparatus, arrangement or structure may include an 
initialization circuit, which receives an initialization 
signal from the voltage source after the control unit is 
30 enabled, subsequently synchronizes the CU with the MC, and 
then activates the test data signal generator and the error 
counter. The CU is synchronized with the MC in that the CU 
waits for the first data transmission of the MC. 
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An additional object of the exemplary embodiment of the 
present invention is to provide a method for checking a 
microcomputer so that the reliability of the error detection 
may be improved, and the detection may be expanded to 
5 additional types of errors. 

To achieve this object, in the exemplary method of the present 
invention, the CU of the control unit measures the quiescent 
current of the MC and applies a test data input signal to the 
10 MC, determines a first test data output signal, and compares a 
^ second test data output signal of the MC to the first test 

SB data output signal of the CU. 

^^l Advantageously, the quiescent current measurement is in the 

form of an IDDQ measurement. The IDDQ measurement may be 
jU carried out or performed after the control unit is switched on 

Irt'ii after being enabled by an enable signal. 

:N'^ According to another exemplary method according to the present 

20 invention, the second test data output signal of the MC is 

compared to the first test data output signal of the CU while 
the control unit is in operation. This may have the advantage 
that the control unit does not have to be switched off to test 
the functionality of the microcomputer. Rather, MC computing 
25 power not used for controlling the application can be used to 
check the MC while the control unit is in operation. 

A false test data output signal may be transmitted one time at 
regular intervals to the CU while the control unit is in 
3 0 operation to check the functionality of the disabling path. 

Another exemplary embodiment of the present invention involves 
the fact that a clock generator is stopped by the MC during 
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the IDDQ measurement and/or while the second test data output 
signal of the MC is being compared to the first test data 
output signal of the CU. The clock generator is provided in 
the control system of the CU. The internal computer operations 
5 in particular are controlled as a function of the output 

signal of this clock generator. In the described IDDQ test 
mode, it is provided that this clock generator is switched off 
or disabled or disconnected from the MC. This can also be 
carried out or performed in the power-down mode when a 
10 particularly low quiescent current is to be achieved. The 
^ clock generator is switched off or disabled or disconnected 

fia especially at the start of every quiescent current 

. measurement . 

Qb The test data input signal of the CU may be generated by a 

iU. test data signal generator, via a feedback shift register. The 

test data output signal of the CU may be generated by a 
HS response generator, with the aid of the Reed-Muller code. 

2 0 The exemplary control unit according to the present invention 
can be checked by two different test runs. A so-called 
start-up test is carried out immediately following the 
switching on of the control unit and prior to the operation of 
the control unit for controlling or regulating the 

25 safety-critical application. After the start-up test, a 

so-called online test is carried out or performed from time to 
time while the control unit is in operation. 

The start-up test is subdivided into two test segments, the 
30 so-called processor initialization segment (Proz-Init) and the 
subsequent so-called operating system initialization segment 
(BS-Init) . The processor initialization segment includes a 
command test and a core test, a RAM/ROM test, and an IDDQ 
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test. The operating system initialization segment includes a 
start-up control and a test of the CU. In the start-up 
control, different input values are tested on the control unit 
(e.g. a certain speed pattern of the wheels of a vehicle, as 
5 can typically occur at the input of an ABS control unit of the 
vehicle) . The control unit carries out a regulation or control 
of the application based on the input values. The result of 
the simulated regulation or control is compared to 
corresponding setpoint values. When testing the CU, a 

10 defective MC is simulated, and the reaction of the CU to the 

Q defect is checked. 

The online test has a command test and a core test, a RAM/ROM 

test, a test of the CU, and a replication test. In the 
lis replication test, double memory spaces are provided for 
J, certain safety-critical variables, and certain safety-critical 

calculations are carried out twice. The contents of the double 
fU memory spaces and the results of the double calculations are 

jrT compared to one another. The redundant storing and the 

20 redundant calculation are carried out by a processor of the 

control unit . 

Furthermore, the online test has a plausibility check in which 
control signals or regulation signals determined by the MC are 

25 checked for plausibility. In the case of an ABS control unit, 
one can, for example, check whether the speed, the 
acceleration, or the deceleration are within certain limits. 
Moreover, the values of the individual wheels of the vehicle 
must be in a certain relation to one another, which can also 

30 be checked. Finally, the online test has another operating 
system test and a test of the remaining monitoring units of 
the control unit. 
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BRIEF DESCRIPTION OF THE DRAWINGS 

Figure 1 shows a schematic block diagram of an exemplary 
control unit according to the present invention. 



5 Figure 2 shows a more detailed view of a block diagram of the 
control unit from Fig. 1. 



Figure 3 shows an exemplary circuit configuration for a 
quiescent current measurement including a two-wire handshake. 

10 

Q Figure 4 shows a timing diagram of the measuring run control 

for the quiescent current from Figure 3 . 

'^^^J DETAILED DESCRIPTION 

fSs Figure 1 shows a schematic block diagram of an exemplary 

control unit according to the present invention. Reference 
C3 numeral 1 designates the exemplary control unit according to 

fll the present invention in its entirety. Control unit 1 is used 

Jf to control safety-critical applications, e.g. for anti-lock 

2 0 (braking) systems, for traction control systems, and/or for 

electronic stability programs. 



Control unit 1 has a microcomputer MC, a monitoring unit (CU, 
check unit), and peripheral circuits (lO, input /output ) . 

25 Microcomputer MC, monitoring unit CU, and peripheral circuits 
IC are connected in series via a serial synchronous databus 2. 
Via its data output line MC_Dout, microcomputer MC transmits 
the data output signals through databus 2 to the bus users and 
simultaneously receives the data input signals via its data 

3 0 input line MC__Din. Using the signal SAM (sample) , the bus 
users store the data received in their storage registers. 

There are additional connecting lines between microcomputer MC 
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and monitoring unit CU, namely a shared supply line VDD or 
alternatively, a plurality of supply lines VDD for a digital 
and analog supply of microcomputer MC . Finally, IDDQ handshake 
line IDDQ-HDSHK, which are used for controlling the quiescent 
5 current measurement (IDDQ measurement) of microcomputer MC, 

run between microcomputer MC and monitoring unit CU. So-called 
disabling paths 3 lead from monitoring unit CU to external 
warning lamps and/or relays to manipulate the safety-critical 
applications to be controlled, depending on whether monitoring 

10 unit CU detects an error of microcomputer MC. Peripheral 
circuits lO have connecting lines 4 to safety-critical 

ui application 5 to be controlled. 

J5 After control unit 1 is switched on, the quiescent current is 

Ijs measured to check the functionality of microcomputer MC . While 

control unit 1 is in operation, the functionality of 
'j^l microcomputer MC is checked in that it regularly receives test 

ft data records, and the corresponding second test data output 

U signal of the MC is compared to an error- free first test data 

2 0 output signal calculated by monitoring unit CU. 

Figure 2 shows a detailed overview of a block diagram of the 
control unit 1 from Figure 1. Monitoring unit CU includes a 
control system 6 of monitoring unit CU, a measuring run 
25 control 7 for the IDDQ measurement, an IDDQ measuring circuit 
8, and a voltage supply 9. Control system 6 of monitoring unit 
CU includes a test data signal generator 10, a response 
generator 11, and a comparator 12, With the aid of test data 
signal generator 10, a test data input signal is applied to 

3 0 microcomputer MC, and the microcomputer determines a second 

test data output signal as a function of the test data input 
signal and its own internal states. 
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Response generator 11 processes the same test data input 
signal and forms a corresponding first test data output 
signal. In comparator 12, the first test data output signal of 
monitoring unit CU is compared to the second test data output 
5 signal of microcomputer MC, A trigger generator 13 determines 
the instant at which the second test data output signal of 
microcomputer MC is available at comparator 12, given an 
error- free, functioning microcomputer MC. 

10 Control system 6 of monitoring unit CU further has a error 

;p counter 14, which counts an error, if the second test data 

output signal of microcomputer MC is not consistent with the 
tf^ first test data output signal of monitoring unit CU, and/or if 

■y the second test data output signal of microcomputer MC is 

;SJ5 available at comparator 12 at a different instant than the one 

f . determined by trigger generator 13. 

if;u Furthermore, control system 6 of monitoring unit CU has a test 

^ data register 17, which is used for transmitting and receiving 

20 test data. 

Finally, control system G of monitoring unit CU also has an 
initialization circuit 15, which receives an initialization 
signal RST from voltage supply 9 after control unit 1 is 
2 5 switched on and subsequently synchronizes monitoring unit CU 
with microcomputer MC in that the monitoring unit waits for 
the first data transmission of the MC. Initialization circuit 
15 subsequently activates test data signal generator 10 and 
error counter 14 . 

30 

In test data signal generator 10, the test data input signals 
for microcomputer MC are generated in a virtually random order 
by a feedback shift register. With the aid of the Reed-Muller 
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codes, the bit string for the corresponding first test data 
output signal is formed in response generator 11, for every 
test data input signal. This code is used to maintain a 
distance that is as great as possible in the space of numbers 
5 of the test data output signals (hamming distance) . In 

comparator 12, the first test data output signal determined in 
response generator 11 is then compared to the actual second 
test data output signal of microcomputer MC. 

10 The instant of the comparison is specified by trigger 

y generator 13 . This is intended to ensure that the time slices 

'■Si:? 

Bp in microcomputer MC proceed correctly. Comparator 12 not only 

3i checks the second test data output signal of the MC for the 

correct data value but also to determine whether the test data 
©5 output signal is transmitted within a specific timing window. 

If the value and instant of the second test data output signal 
J"; of the MC are correct, error counter 14 is decremented, and 

ly the safety-critical application to be controlled is kept in an 

U active state via a signal interface 16 in that external 

20 warning lights are switched off and the relays for triggering 

application 5 are activated. 

In every cycle following this first cycle, the instant and 
value of the second test data output signal of the MC must be 

25 correct to prevent error counter 14 from responding 

immediately Error counter 14 has a plurality of response 
thresholds to prevent control unit 1 or application 5 from 
being switched off in the case of a singular disturbance and 
to enable microcomputer MC to check the disabling path. The 

3 0 first step blocks the valve output stages via signal EN and 

switches off the voltage supply of the valves via valve relay 
VRA. The display of the warning lights SILA is delayed by one 
cycle, so that there is no display when testing the disabling 
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path . 



If a test data input signal is responded to at the wrong 
instant or with an incorrect value, the same test data input 
5 signal is applied again to microcomputer MC until the instant 
and value are correct. If this does not occur within a 
predefined time period, monitoring unit CU switches off the 
control unit 1, and it can no longer be activated even by 
correct responses . 

10 

After control unit 1 is switched on, the quiescent current is 

measured for a set number (typically 8 to 16) of selected 
W instants of a test program. The communication between 

%j microcomputer MC and monitoring unit CU for measuring the 

%5 quiescent current is carried out via the two handshake lines 
^ START and END. While the quiescent current is being measured, 

rj microcomputer MC stops clock generator CLK. Between monitoring 

unit CU and microcomputer MC are two separate voltage supply 
M lines, VDD_digital for supplying the digital component of 

2 0 microcomputer MC and VDD_analog for supplying the analog 

component of microcomputer MC . The quiescent current is 

measured in voltage supply line VDD_digital . 

The quiescent current measurement is enabled after the voltage 
25 supply is switched on via signal IDDQ_EN of control system 6 
of monitoring unit CU. The successful completion of the 
quiescent current measurement is signalized to control system 
6 of monitoring unit CU by signal IDDQ_FIN. Consequently, 
monitoring unit CU advances the test run in that 
30 initialization circuit 15 enables test data signal generator 
10 via a signal IDDQ_OK. 

Figure 3 shows a circuit configuration for measuring the 
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quiescent current including a two-wire handshake. Figure 4 
shows the timing diagram of measuring run control 7 for the 
quiescent current measurement from Figure 3 . After control 
unit 1 is switched on, microcomputer MC starts its self -test. 
Part of this self -test is the quiescent current measurement. 
If the functional sequence in microcomputer MC reaches the 
quiescent current test, the START signal is activated. At 
instant Tl, the quiescent current measurement is activated by 
signal_Act. The output of comparator 12 for the quiescent 
current measurement is evaluated after time T2 . If the value 
is acceptable, microcomputer MC is activated again by the END 
signal. If the value is outside of a limiting value, the 
measurement is repeated. The number of repetitions is preset. 

If repeating the measurement also does not produce a correct 
response, the measurement is discontinued, and monitoring unit 
CU does not switch on microcomputer MC but remains in a 
fail-safe mode. When all quiescent current measurements are 
completed, signal IDDQ_FIN is set to HIGH. Consequently, 
control system 6 of monitoring unit CU resets signal IDDQ_EN 
from HIGH to LOW. 
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ABSTRACT OF THE DISCLOSURE 
A control unit, for controlling safety-critical applications, 
includes a microcomputer, a monitoring unit {check unit) , and 
peripheral circuits ( input /output ) , and in which, to improve 
5 the reliability of the error detection for such control units, 
and to expand the detection to additional error types, the 
monitoring unit includes a first apparatus, arrangement or 
structure for measuring the quiescent current of the 
microcomputer; at least one quiescent current handshake line 
10 for controlling the measurement of the quiescent current 

running between the first apparatus, arrangement or structure 
all of the monitoring unit and the microcomputer; the monitoring 
yj^ unit including a second apparatus, arrangement or structure 

.''J for applying a test data input signal to the microcomputer, 

SS for processing the test data input signal, and for comparing 

the corresponding test data output signal of the microcomputer 
to the corresponding test data output signal of the monitoring 
yf unit; and at least one test data signal transmission line 

running between the second apparatus, arrangement or structure 
20 of the monitoring unit and the microcomputer. 
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CONTROL UNIT FOR CONTROLLING SAFETY -CRITICAL APPLICATIONS 
FIELD OF THE INVENTION 

The present invention relates to a control unit for 
controlling safety-critical applications, having a 
microcomputer (MC) , a monitoring unit (check unit, CU) , and 
,^,.3 peripheral circuits {input output, 10) . Furthermore, the 
=;3 present invention relates to a method for checking a 

pp microcomputer (MC) of a control unit for controlling 

Tl safety-critical applications, the control unit having 

microcomputer (MC) , a monitoring unit (check unit, CU) , and 
i-lO peripheral circuits (input output, 10) , 

tj;: [Background Information 

Q ] BACKGROUND INFORMATION 

In control units that control or regulate applications or 
15 functions that are critical with regard to safety, errors of 
the microcomputer (MC) or of a processor of the microcomputer 
[must] may be detected by monitoring. Such control units having 
safety tasks are used, for example, for anti-lock braking 
systems, for traction control systems, and/or for electronic 
2 0 stability programs. The safety-critical applications 

controlled by the control unit are connected to the control 
unit via the peripheral circuits. In the case of 
single-computer control units, methods having a self -test, 
plausibility check, and watchdog [are known] may be available, 

25 

For testing CMOS chips (integrated circuits, IC) at the 
manufacturer, methods and measuring devices for measuring the 
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quiescent current are used. The background of the so-called 
quiescent current test is that in a digital CMOS chip in 
purely static logic, it is believed that almost the entire 
power loss during the switching operations occurs in its 
5 interior. In the rest state, the current flow is restricted to 
tiny leakage currents as well as to currents through pullup 
resistors or pulldown resistors at the inputs and through 
external loads at the output drivers. [Many] 

;[|;0 It is believed that various production-dependent errors may 
'2 lead to increased conductivity between the positive and 

'''i.iv; 

"""'i negative supply voltage [ . A], and that activating such 

O defective regions (point defects) of the circuit causes the 

£; current consumption to increase abruptly. Such defects 

lis [can] may be ascertained by a highly exact measurement of the 
fi| current consumption during the test operation and a comparison 

l^'.^ to corresponding setpoint values. As already stated, such a 

quiescent current measurement [is] may be used in the 
manufacture of CMOS chips to sort out the defective chips 
20 after the manufacturing process. 

[It is known from the related art to also use tjThe quiescent 
current test method [ known], which is believed to be available 
for use in the [manufacture] manufacturing of computer modules 

25 for the control units [of the species cited at the outset] (as 
referred to above) , to test the computer modules during their 
normal operation [in order to be able to detect] for detecting 
what may be the most frequent defects in the computer modules, 
in particular in the microcomputer (MC) , e.g. lock-up errors 

30 (stuck-at) , bridge errors (bridging) , and/or interrupt errors 
(stuck-open) . 
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[It is further known from the related art to provide] An 
available approach for increasing reliability in the case of 
control units (as referred to above) involves providing two 
MCs, which reciprocally test one another by parallel computing 
5 and/or plausibility checks [, to increase reliability in the 
case of control units of the species cited at the outset] . 
However, cost considerations [result in the suggestion of] may 
suggest using only one MC for such control units. 

llJo [The object] SUMMARY OF THE INVENTION 

% An object of an exemplary method and/or exemplary embodiment 

SI of the present invention is to [develop and further 

,P:': refine] provide a control unit [of the species cited at the 

f outset to the effect that] in which the reliability of the 

error detection is [ further] improved, and the detection is 

m expanded to additional types of errors. 

[To achieve this object, starting from a control unit of the 
species cited at the outset,] In an exemplary embodiment of the 

20 present invention [ proposes that], the monitoring unit (CU) 
has a first [means] apparatus , arrangement or structure for 
measuring the quiescent current of the microcomputer (MC) , [ 
that] at least one handshake line for controlling the 
measurement of the quiescent current runs between the first 

25 [means] apparatus , arrangement or structure of the CU and the 

MC, [that ] the CU has a second [means] apparatus , arrangement 
or structure for applying a test data input signal to the MC 
to process the test data input signal and compare the 
corresponding test data output signal of the MC to the 

3 0 corresponding test data output signal of the CU, and [that ] at 
least one test data signal transmission line runs between the 

3 
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second [means] apparatus, arrangement or structure of the CU 
and the MC. 

In accordance with the exemplary embodiment and/or exemplary 
5 method of the present invention, [ it was recognized that] the 
reliability of the error detection can be increased by using 
two different test methods that supplement one another. In 
this manner, it is believed that a significantly greater 

Q number of different error types of the computer modules of the 

;j§0 MC can be detected. 

"'"i The control unit according to the exemplary embodiment of the 

Q present invention can also have a plurality of MCs and a 

J. plurality of CUs . However, the following assumes that the 

control unit has one MC and one CU. The CU of the control unit 
fly; according to the exemplary embodiment of the present invention 

2 has a first [means] apparatus , arrangement or structure for 

measuring the quiescent current of the MC. 

2 0 At least one handshake line for controlling the measurement of 
the quiescent current runs between the first [means] apparatus , 
arrangement or structure of the CU and the MC. The handshalce 
line can, for example, be [ designed as] a bidirectional line. 

25 After the control unit is switched on, the quiescent current 
is measured for a set number (typically 8 to 16) of selected 
commands within the frameworJc of a test program. For example, 
14 selected commands containing an internal machine cycle are 
processed for microcomputer TMS470. 

30 

To supplement the quiescent current measurement, the CU of the 
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control unit according to the exemplary embodiment of the 
present invention has a second [means] apparatus , arrangement 
or structure. At least one transmission line for test data 
signals runs between the second [means] apparatus , arrangement 
5 or structure of the CU and the MC. 

The second [means apply] apparatus , arrangement or structure 
applies a test data signal to the MC. The MC calculates a test 
O data output signal, which is dependent upon the test data 

fio input signal and the states inside the MC . Defective states 
% result in a changed test data output signal of the MC. 

Q In the second [means] apparatus , arrangement or structure of 

1^ the CU, the test data input signal is also processed to form a 

;t;;i5 test data output signal that is used as a reference signal for 
ifljj checking the test data output signal of the MC . When 

£T calculating the test data output signal, the CU assumes an 

error- free, functioning MC. The completed calculation 
[preferably] may ha[s]ve a [very] ''very simple" design. [ ] 

20 

The microcomputer does not have a double design, and the same 
computation is not carried out by the CU as by the MC, as is 
the case for parallel computer systems. Rather, starting from 
the input data of a predefined test function, the MC 

25 calculates the output data whose results are checked by the CU 
using the reference signal calculated by it. The test function 
used for calculating the output data [typically has a very] may 
be ''very simple [ design]'' in its implementation. The 
calculation only requires minimal computing time. However , 

3 0 complex tests and results from the application programs can 
also be included in this test function. 

5 
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Finally, the test data output signal of the CU is compared to 
the test data output signal of the MC. If they deviate from 
one another, or if the deviation exceeds a predetermined 
threshold value, the CU recognizes an error of the MC. The 
5 test result can be displayed by a display device and/or it can 
be provided that upon occurrence of an error, [provision is 
made for] and the system may be controlled and/or regulated by 
the control unit to be switched off, 

ClO According to [an advantageous further refinement] another 

J=i exemplary embodiment of the present invention^ [it is proposed 

that ] the first [means] apparatus, arrangement or structure 
%3 includes an IDDQ measuring circuit, a voltage supply, an IDDQ 

IU: measuring run control (MAS) , and a control system of the CU, 

JJlB and that the connection between the first [means] apparatus ,r 
Rl arrangement or structure, and the MC includes two handshake 

lines that run from the IDDQ-I4AS to the MC and at least one 
voltage supply line that runs from the voltage supply to the 
MC, at least one of the voltage supply lines running through 
20 {or across} the IDDQ measuring circuit. In semiconductors, IDD 
designates the positive supply current. IDDQ designates the 
quiescent current. The handshake lines are, for example, 
configured as START and END handshake lines for starting and 
acknowledging the completion of the functional test. 

25 

The communication between the MC and the CU for measuring the 
quiescent current is carried out via the two handshake lines. 
The quiescent current of the MC is measured by the CU via the 
separate voltage supply lines. 

30 

As stated, the exemplary embodiment of the present invention 
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relates to a control unit having a monitoring unit for 
checking the microcomputer of the control unit. A voltage 
supply unit is provided for supplying voltage to the control 
unit and, as such^ also to the microcomputer. The control unit 
5 of the CU includes [means] an apparatus, arrangement or 
structure that can bring the MC into specific operating 
states . [ ] 

O Furthermore, [ present in] the IDDQ measuring circuit includes 

jrjo a [re] measuring [means] apparatus, arrangement or structure 

that ascertains the current or voltage in the voltage supply 
"^i circuit of the MC, whereupon the determined current or the 

:p determined voltage [is] may be compared in a comparison 

[means] apparatus, arrangement or structure, also present in 
Jis the IDDQ measuring circuit, to at least one predefined 
Pll threshold value. 

By [simply ] measuring the current or voltage, a plurality of 
possible errors in the computer can be ascertained using the 
20 IDDQ measurement. In this context, it is believed that what 
may be the most frequent errors in the components of the MC 
can be substantially covered using a minimum of test steps. 
Such errors can be lock-up errors (stuck-at) , bridge errors 
(bridging) , and/or interrupt errors (stuck-open) . 

25 

As a result of the combination of the quiescent current 
measurement and another suitable checking method, in 
particular including a check of the functionality of the MC 
based on test data records, it is believed that errors 
30 [are] may be widely covered with respect to the significant 

errors in computer modules, in particular in CMOS processors. 
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in a [manner] way that may be particularly advantageous for 
safety-critical applications . 

The abovementioned elimination of the second processor is 
5 largely retained so as to provide an economic advantage of the 
control unit according to the exemplary embodiment of the 
present invention, since the quiescent current measurement 
according to the exemplary embodiment of the present invention 
may only require [s] a minimal hardware expenditure. 

€b 

m By specially controlling the MC, the IDDQ-MAS brings 

predetermined components of the MC into a low-current state. 
The background of this control [is] involves the fact that [ 
typically] components [ are] present in the MC [that] may 

jis require a relatively high current. Since, as stated at the 

outset, the quiescent current measurement [is generally] may be 

O based on fluctuations in the quiescent current within 

relatively small bandwidths, the high current consumption of 
the MC components interfere with the IDDQ measurement. In 

20 particular, [it is provided ]th[at]e components to which the 

IDDQ measurement does not apply are brought into a low- current 
state. Such components can be the MC output stage and/or an 
input stage (e.g. analog/digital converter), as well as 
circuits for internally multiplying the clock pulse. [ ] 

25 

In the simplest case, the components having high current 
consumption are switched off during the test. Thus, internal 
circuit elements and circuit outputs that carry high currents 
are switched off. Subsequently, the quiescent current can be 
3 0 measured. 
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In addition to switching off the components of the MC having 
high current as mentioned above ^ [it can also be provided that 
] the core of the MC [is to] may be brought into a state of low 
current consumption. In the case of such MC modules configured 
5 specifically for the quiescent current measurement, a special 
operating state, a so-called IDDQ test mode, [is] may be 
provided. In this operating state, all currents inside of the 
computer are switched off, i.e., the current in the MC core is 
Q minimized. [ ] 

Sp 

SI The IDDQ design is such that standard errors in the MC core 

\J become noticeable as an increase in the quiescent current. 

.'5 Thus, for example, short-circuit errors and/or stuc>c-at errors 

^ (short circuit to ground or the supply voltage) are 

C35 [immediately] "immediately" or quiclcly manifested in an 

increase in the quiescent current. In this context, it is not 
believed to be necessary to pass on (to propagate) the effect 
of such an error to the outputs of the MC. The increased 
current consumption is the immediate error indicator. 

20 

In addition to the IDDQ test mode described above, it can be 
provided that only the MC components having a high current are 
switched off, and, in response to a command, the MC enters a 
defined low-current state. In this context, the MC core does 
25 not have to be specially configured for the IDDQ test mode. 
This is called the power-down mode. 

The power-down mode is initiated by loading internal 
components of the computer, such as the register and memory, 
3 0 with certain patterns, and by bringing the abovementioned 

computer components into a state of low current consumption. 
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e.g./ by executing a certain computer command. If this state 
is achieved, a clock generator can be selectively switched off 
or disconnected. Subsequently, the quiescent current or a 
corresponding voltage value is measured and compared to a 
5 threshold value corresponding to the above-set operating state 
{power-down state) of the MC core . If certain errors are 
present in the computer (stuck-at errors, bridging errors, 
stuck-open errors), the result [is typically] may be an 

0 increase in the quiescent current or in the voltage drop 

^|j;t) caused by the quiescent current. 

%i After such a test step, additional test steps can follow in 

,S that the power-down mode is first exited by applying certain 

-J signal levels to specific connections of the MC, By again 

iJlB starting or switching on the clock generator, the internal 
m'% computer components, such as the register and the memory, are 

f-- loaded with additional patterns, and the abovementioned 

components are again brought into a low- current state, e.g., 
by executing a specific computer command (power-down command) , 
2 0 The above-described measurement of the quiescent current then 
follows. As a result of a plurality of such consecutively 
performed measurements of the power-down current, errors in 
the registers, memories, and components of the computer core 
[are] may be ascertained in an increasingly more complete 
2 5 manner. 

According to the exemplary computer [type ] and [design of 
the] exemplary circuit, the individual test steps are ended by 
re-enabling the clock generator, by triggering a reset, or by 
30 triggering an external interrupt. After the last test step, 
the MC runs again in its normal operating mode {normal 

10 
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operation) . 

In addition [of ] to the above -described quiescent current 
measurement in the power-down mode, provision is also made in 
accordance with the exemplary embodiment of the present 
invention for the quiescent current to be measured in the 
indicated IDDQ test mode[, ] (provided the computer to be 
checked is suitably configured) . The start of the IDDQ test 
mode is initiated by changing the signal level at a connection 
of the MC, for example , Also in this context, the register and 
memory are loaded with certain patterns prior to entering the 
IDDQ test mode. [ ] 

Upon entering the IDDQ test mode, the computer components 
having high current consumption are switched off. Furthermore, 
by discontinuing or decoupling the time pulse while executing 
a command, the computer core can be kept in a state 
[typical] "typical" for this command. These commands are 
selected [in such a manner] so that they adjust the states of 
the internal circuit nodes of the computer core so that as 
many errors as possible or at least more errors can be 
detected via the quiescent current measurement. 

The handshake for the quiescent current measurement is carried 
out or performed in a number of steps : 

SI: The MC sets the START signal to HIGH. Consequently, the 
CU knows that an IDDQ measurement is beginning. 

S2 : The MC can selectively prepare to stop the time pulse 
(master clock, MCLK) , in that it sets a signal PREP to 
LOW via an internal command. 



MARKED UP VERSION OF SUBSTITUTE SPECIFICATION 



S3: The MC decodes the precisely defined instant within the 
next suitable command for the IDDQ test and also sets a 
signal DEKOD to LOW. Now the MCLK is set equal to LOW, 
and the digital component of the MC is set to static 
operation for the IDDQ measurement. 

S4 : The CU performs the IDDQ measurement. 

S5: The CU outputs the level sequence LOW-HIGH-LOW at the 
signal END, thereby reactivating the MCLK. 

36: The MC becomes active again and confirms the end of the 
measurement by setting the START signal to LOW. The MC 
continues the program and prepares the next IDDQ 
measurement or ends the IDDQ measurement when all 
measurements have been carried out. 

Two voltage supply lines [preferably] may run between the 
voltage supply and the MC, one voltage supply line running 
through the IDDQ measuring circuit. The quiescent current of 
the MC is measured via the voltage supply line that runs 
through the IDDQ measuring circuit . 

According to another [advantageous further 

refinement] exemplary embodiment of the control unit according 
to the present invention, [it is proposed that ] the first 
[means] apparatus^ arrangement or structure includes an IDDQ 
measuring circuit, a voltage supply, an IDDQ measuring run 
control (MAS), and a control system of the CU, and [that ] the 
connection between the first [means] apparatus , arrangement or 
Structure and the MC includes four handshake lines that run 
from the IDDQ-MAS to the MC and at least one voltage supply 
line that runs from the voltage supply to the MC, at least one 
of the voltage supply lines running through the IDDQ measuring 

12 
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circuit . [ ] 

In the case of four handshake lines, a time-pulse (CLK) line 
and a line for a power-down (PWRDN) control can be provided 
5 for the MC in addition to the lines START, END in the case of 
two handshake lines. In this [specif ic] exemplary embodiment of 
the control unit, a shared voltage supply line to the 
processor is sufficient, the quiescent current being measured 
pi in the voltage supply line. The clock generator is then 

JJO stopped in the CU. The control of voltage supply circuits for 
SB analog circuits and 10 circuits in the MC is carried out or 

performed via the PWRDN line from the CU. As such, only the 
|5 quiescent current of the digital component of the MC flows in 

the measuring case through the shared voltage supply line. 

Advantageously, the first [means have] apparatus, arrangement 
or structure includes an initialization circuit, which 
receives an initialization signal from the voltage supply 
after the control unit is switched on and subsequently 

20 transmits an enable signal to the IDDQ-MAS to enable the IDDQ 
measurement . The successful completion of the IDDQ 
measurement is signal [iz]ed by an additional signal to the 
control system of the CU. Consequently, the CU advances the 
test run in that the initialization circuit enables the test 

25 data signal generator via an additional signal. 

According to [an advantageous specif ic] another exemplary 
embodiment of the present invention, the second 
[means] apparatus, arrangement or structure includes a test 
3 0 data signal generator for applying a test data input signal to 
the MC, a response generator for processing the test data 

13 
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input signal and for forming a corresponding test data output 
signal, a test data register for transmitting and receiving 
test data, and a comparator for comparing the test data output 
signal of the MC to the test data output signal of the CU [ ; 
5 and t] . The connection between the second [means] apparatus, 

arrangement or structure and the MC includes at least one test 
data transmission line, which runs between the test data 
register and the MC. Advantageously, two test data 

Q transmission lines may run between the test data register and 

If) the MC. 

%| The test data signal generator is also activated by the 

f? initialization circuit after the control unit is enabled. In 

the test data signal generator, the test data for the MC are 
Ills generated in a virtually random order by a feedback shift 
fll register. With the aid of the Reed-Muller codes, the bit 

J-f string for the test data output signal (the so-called 

reference signal) is formed in the response generator, for 
every test data input signal. This code is used to maintain a 
20 distance that is as great as possible in the space of numbers 
of the test data output signals (hamming distance) . In the 
comparator, the theoretically calculated test data output 
signal from the response generator of the CU is then compared 
to the actual test data output signal of the MC from the test 
25 data register. 

The second [means preferably have] apparatus , arrangement or 
structure may also include a trigger generator, which 
determines the instant at which the test data output signal of 
3 0 the MC is available at the comparator, in the case of an 

error- free MC. The trigger generator stipulates the instant of 
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the comparison of the determined test data output signal of 
the MC and the actual response of the CU. As a result, it is 
at least better ensured that the time slices in the MC proceed 
correctly. The comparator not only checks the test data output 
5 signal for the correct data value but also to determine 

whether the test data output signal is transmitted within a 
specific timing window. 

^p:;^ Advantageously, the second [means have a] apparatus, 

^;90 arrangement or structure includes an error counter, which 

Jp counts up or down, [in the event that] if the test data output 

signal of the MC is not consistent with the test data output 
w signal of the CU, and/or [in the event that] if the test data 

output signal of the MC is available at the comparator at an 
fi5 instant that differs from the one determined by the trigger 

generator. By a counting pulse, the comparator causes the 
O error counter to count up or down. If the value and instant of 

the test data output signal are correct, the error counter is 

decremented, for example. If the error counter falls below a 
20 predefined value, an external warning light, for example, is 

switched on or off via a signal interface, and a relay for 

manipulating the safety-critical application is enabled. 

The manipulation of the application to be controlled [is 
25 typically] may be limited to discontinuing the application. In 
the case of special applications, it can, however, be useful 
for the error counter to have a plurality of response 
thresholds, exceeding the response threshold resulting in a 
different reaction in each case. As a result, the application 
3 0 can be prevented from being immediately interrupted in the 

case of a singular disturbance, and the disabling path can be 

15 
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checked by the computer. 

If the MC responds to a test data input signal at the wrong 
instant or with an incorrect value, the same test data input 
5 signal is applied to the MC again until the instant and value 
of the test data output signal are correct. If this does not 
occur with a predefined time period, the CU switches off the 
control unit or the application, and it cannot be re-activated 
Q even by correct responses . 

^ The second [means preferably have] apparatus , arrangement or 

\| structure may include an initialization circuit, which 

S receives an initialization signal from the voltage source 

f after the control unit is enabled, subsequently synchronizes 

Cl5 the CU with the MC, and then activates the test data signal 
fll generator and the error counter. The CU is synchronized with 

ff the MC in that the CU waits for the first data transmission of 

the MC. 

20 An additional object of the exemplary embodiment of the 

present invention is to [develop and further refine] provide a 
method for checking a microcomputer [of the species cited at 
the outset to the effect] so that the reliability of the error 
detection [are further] may be improved, and the detection 

25 [is] may be expanded to additional types of errors. 

To achieve this object, [starting from] in the exemplary method 
of [ the species cited at the outset,] the present invention [ 
proposes that] , the CU of the control unit measures the 
3 0 quiescent current of the MC and applies a test data input 

signal to the MC, determines a first test data output signal, 

16 
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and compares a second test data output signal of the MC to the 
first test data output signal of the CU. 

Advantageously, the quiescent current measurement is in the 
5 form of an IDDQ measurement. [Preferably, t]The IDDQ 

measurement [is] may be carried out or performed after the 
control unit is switched on after being enabled by an enable 
signal . 



#0 According to [an advantageous further refinement of 

;rg the] another exemplary method according to the present 

|1 invention, the second test data output signal of the MC is 

compared to the first test data output signal of the CU while 

the control unit is in operation. This may ha[s]ve the 
:pl5 advantage that the control unit does not have to be switched 
Jjf off to test the functionality of the microcomputer. Rather, MC 

Q computing power not used for controlling the application can 

be used to check the MC while the control unit is in 

operation . 

20 

[Preferably, a] A false test data output signal [is] may be 
transmitted one time at regular intervals to the CU while the 
control unit is in operation to check the functionality of the 
disabling path, 

25 

[An additional advantageous] Another exemplary embodiment of 
the present invention [start from] involves the 
[assumption] fact that a clock generator is stopped by the MC 
during the IDDQ measurement and/or while the second test data 
3 0 output signal of the MC is being compared to the first test 

data output signal of the CU. The clock generator is provided 

17 
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in the control system of the CU. The internal computer 
operations in particular are controlled as a function of the 
output signal of this clock generator. In the described IDDQ 
test mode, it is provided that this clock generator is 
5 switched off or disabled or disconnected from the MC. This can 
also be carried out or performed in the power-down mode when a 
particularly low quiescent current is to be achieved. The 
clock generator is switched off or disabled or disconnected 

ip especially at the start of every quiescent current 

fp measurement . 

H [Preferably, tjThe test data input signal of the CU [is] may be 

fi generated by a test data signal generator, via a feedback 

J\ shift register. [Preferably, t]The test data output signal of 

Sis the CU [is] may be generated by a response generator, with the 
fi^ aid of the Reed-Muller code. 

The exemplary control unit according to the present invention 
can be checked by two different test runs. A so-called 

2 0 start-up test is carried out immediately following the 

switching on of the control unit and prior to the operation of 
the control unit for controlling or regulating the 
safety-critical application. After the start-up test, a 
so-called online test is carried out or performed from time to 

2 5 time while the control unit is in operation. 

The start-up test is subdivided into two test segments, the 
so-called processor initialization segment (Proz-Init) and the 
subsequent so-called operating system initialization segment 
30 (BS-Init) . The processor initialization segment includes a 

command test and a core test, a RAM/ROM test, and an IDDQ 

18 
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test. The operating system initialization segment includes a 
start-up control and a test of the CU. In the start-up 
control, different input values are tested on the control unit 
(e.g. a certain speed pattern of the wheels of a vehicle, as 
5 can typically occur at the input of an ABS control unit of the 
vehicle) . The control unit carries out a regulation or control 
of the application based on the input values. The result of 
the simulated regulation or control is compared to 
corresponding setpoint values. When testing the CU, a 

#0 defective MC is simulated, and the reaction of the CU to the 

Jij defect is checked. 

■j^y The online test has a command test and a core test, a RAM/ROM 

test, a test of the CU, and a replication test. In the 
fkS replication test, double memory spaces are provided for 
IJ'i; certain safety-critical variables, and certain safety-critical 

O calculations are carried out twice. The contents of the double 

memory spaces and the results of the double calculations are 
compared to one another. The redundant storing and the 

2 0 redundant calculation are carried out by a processor of the 

control unit . 

Furthermore, the online test has a plausibility check in which 
control signals or regulation signals determined by the MC are 
25 checked for plausibility. In the case of an ABS control unit, 
one can, for example, check whether the speed, the 
acceleration, or the deceleration are within certain limits. 
Moreover, the values of the individual wheels of the vehicle 
must be in a certain relation to one another, which can also 

3 0 be checked. Finally, the online test has another operating 

system test and a test of the remaining monitoring units of 
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the control unit . 

[A preferred exemplary embodiment of the present invention is 
explained in more detail in the light of the following 
5 drawings. The figures show: 

Figure 1 1 BRIEF DESCRIPTION OF THE DRAWINGS 

Figure 1 shows a schematic [ overview of a] block diagram of 
[a] an exemplary control unit according to the present 
#0 invention [ ; ] . 



Figure 2[ ] shows a more detailed [overview] view of a block 
diagram of the control unit from Fig. 1[;] • 

f45 Figure 3[ ] shows [a] an exemplary circuit configuration for a 

quiescent current measurement including a two-wire 
handshake [ ; ] . 

Figure 4 [ ] shows a timing diagram of the measuring run 
20 control for the quiescent current from Figure 3. 

DETAILED DESCRIPTION 

Figure 1 shows a schematic [overview of a ] block diagram of 
[a] an exemplary control unit according to the present 

2 5 invention. Reference numeral 1 designates the exemplary 

control unit according to the present invention in its 
entirety. Control unit 1 is used to control safety-critical 
applications, e.g. for anti-lock (braking) systems, for 
traction control systems, and/or for electronic stability 

3 0 programs . [ ] 
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Control unit 1 has a microcomputer MC, a monitoring unit (CU, 
check unit) , and peripheral circuits (10, input/output) . 
Microcomputer MC, monitoring unit CU, and peripheral circuits 
IC are connected in series via a serial synchronous databus 2 . 
5 Via its data output line MC_Dout , microcomputer MC transmits 

the data output signals through databus 2 to the bus users and 
simultaneously receives the data input signals via its data 
input line MC_Din. Using the signal SAM (sample), the bus 
users store the data received in their storage registers. 

& 

There are additional connecting lines between microcomputer MC 
:f't and monitoring unit CU, namely a shared supply line VDD or 

alternatively, a plurality of supply lines VDD for a digital 
and analog supply of microcomputer MC . Finally, IDDQ handshake 
Ss line IDDQ-HDSHK, which are used for controlling the quiescent 

current measurement (IDDQ measurement) of microcomputer MC, 
p run between microcomputer MC and monitoring unit CU. So-called 

disabling paths 3 lead from monitoring unit CU to external 
warning lamps and/or relays to manipulate the safety-critical 
20 applications to be controlled, depending on whether monitoring 
unit CU detects an error of microcomputer MC . Peripheral 
circuits 10 have connecting lines 4 to safety-critical 
application 5 to be controlled. 

25 After control unit 1 is switched on, the quiescent current is 
measured to check the functionality of microcomputer MC. While 
control unit 1 is in operation, the functionality of 
microcomputer MC is checked in that it regularly receives test 
data records, and the corresponding second test data output 

30 signal of the MC is compared to an error-free first test data 
output signal calculated by monitoring unit CU. 

21 
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Figure 2 shows a detailed overview of a block diagram of the 
control unit 1 from Figure 1. Monitoring unit CU includes a 
control system 6 of monitoring unit CU, a measuring run 
control 7 for the IDDQ measurement, an IDDQ measuring circuit 
5 8, and a voltage supply 9. Control system 6 of monitoring unit 
CU includes a test data signal generator 10, a response 
generator 11, and a comparator 12. With the aid of test data 
signal generator 10, a test data input signal is applied to 
microcomputer MC, and the microcomputer determines a second 

i||0 test data output signal as a function of the test data input 

'^f, signal and its own internal states. [ ] 

y Response generator 11 processes the same test data input 

signal and forms a corresponding first test data output 
Jls signal. In comparator 12, the first test data output signal of 
fli monitoring unit CU is compared to the second test data output 

g signal of microcomputer MC. A trigger generator 13 determines 

the instant at which the second test data output signal of 
microcomputer MC is available at comparator 12^ given an 
20 error- free, functioning microcomputer MC . 

Control system 6 of monitoring unit CU further has a error 
counter 14, which counts an error, [in the event that] if the 
second test data output signal of microcomputer MC is not 
25 consistent with the first test data output signal of 

monitoring unit CU, and/or [in the event that] if the second 
test data output signal of microcomputer MC is available at 
comparator 12 at a different instant than the one determined 
by trigger generator 13 . 

30 

Furthermore, control system 6 of monitoring unit CU has a test 
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data register 17, which is used for transmitting and receiving 
test data. 

Finally, control system 6 of monitoring unit CU also has an 
5 initialization circuit 15, which receives an initialization 
signal RST from voltage supply 9 after control unit 1 is 
switched on and subsequently synchronizes monitoring unit GU 
with microcomputer MC in that the monitoring unit waits for 
the first data transmission of the MC , Initialization circuit 

'JJO 15 subsequently activates test data signal generator 10 and 

CS error counter 14 . 



% In test data signal generator 10, the test data input signals 

for microcomputer MC are generated in a virtually random order 

ig|5 by a feedback shift register. With the aid of the Reed-Muller 
codes, the bit string for the corresponding first test data 

M output signal is formed in response generator 11, for every 

test data input signal. This code is used to maintain a 
distance that is as great as possible in the space of numbers 
20 of the test data output signals {hamming distance) . In 

comparator 12, the first test data output signal determined in 
response generator 11 is then compared to the actual second 
test data output signal of microcomputer MC . 

25 The instant of the comparison is specified by trigger 

generator 13. This is intended to ensure [s] that the time 
slices in microcomputer MC proceed correctly. Comparator 12 
not only checks the second test data output signal of the MC 
for the correct data value but also to determine whether the 

3 0 test data output signal is transmitted within a specific 

timing window. If the value and instant of the second test 
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data output signal of the MC are correct, error counter 14 is 
decremented, and the safety-critical application to be 
controlled is kept in an active state via a signal interface 
16 in that external warning lights are switched off and the 
5 relays for triggering application 5 are activated. 

In every cycle following this first cycle, the instant and 

value of the second test data output signal of the MC must be 
^ correct to prevent error counter 14 from responding 

ito immediately Error counter 14 has a plurality of response 
ftl thresholds to prevent control unit 1 or application 5 from 

\j being switched off in the case of a singular disturbance and 

l^if to enable microcomputer MC to check the disabling path. The 

^ first step blocks the valve output stages via signal EN and 

g|5 switches off the voltage supply of the valves via valve relay 

VRA, The display of the warning lights SILA is delayed by one 
CI cycle, so that there is no display when testing the disabling 

path . 

20 If a test data input signal is responded to at the wrong 

instant or with an incorrect value, the same test data input 
signal is applied again to microcomputer MC until the instant 
and value are correct. If this does not occur within a 
predefined time period^ monitoring unit CU switches off the 

25 control unit 1, and it can no longer be activated even by 
correct responses . 

After control unit 1 is switched on, the quiescent current is 
measured for a set number (typically 8 to 16) of selected 
3 0 instants of a test program. The communication between 

microcomputer MC and monitoring unit CU for measuring the 
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quiescent current is carried out via the two handshake lines 
START and END. While the quiescent current is being measured, 
microcomputer MC stops clock generator CLK. Between monitoring 
unit CU and microcomputer MC are two separate voltage supply 
5 lines, VDD_digital for supplying the digital component of 
microcomputer MC and VDD_analog for supplying the analog 
component of microcomputer MC . The quiescent current is 
measured in voltage supply line VDD_digital. 

SiO The quiescent current measurement is enabled after the voltage 
supply is switched on via signal IDDQ_EN of control system 6 
of monitoring unit CU. The successful completion of the 
|j.f quiescent current measurement is signalized to control system 

7 6 of monitoring unit CU by signal IDDQ_FIN, Consequently, 

5j5 monitoring unit CU advances the test run in that 
III initialization circuit 15 enables test data signal generator 

r§ 10 via a signal IDDQ_OK. 

Figure 3 shows a circuit configuration for measuring the 
20 quiescent current including a two-wire handshake. Figure 4 
shows the timing diagram of measuring run control 7 for the 
quiescent current measurement from Figure 3 . After control 
unit 1 is switched on, microcomputer MC starts its self -test. 
Part of this self -test is the quiescent current measurement. 

2 5 If the functional sequence in microcomputer MC reaches the 

quiescent current test, the START signal is activated. At 
instant Tl, the quiescent current measurement is activated by 
signal_Act. The output of comparator 12 for the quiescent 
current measurement is evaluated after time T2 . If the value 

3 0 is acceptable, microcomputer MC is activated again by the END 

signal. If the value is outside of a limiting value, the 
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measurement is repeated. The number of repetitions is preset . [ 
] 

If repeating the measurement also does not produce a correct 
response, the measurement is discontinued, and monitoring unit 
CU does not switch on microcomputer MC but remains in a 
fail-safe mode. When all quiescent current measurements are 
completed, signal IDDQ_FIN is set to HIGH. Consequently, 
control system 6 of monitoring unit CU resets signal IDDQ_EN 
from HIGH to LOW. 
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ABSTRACT OF THE DISCLOSURE 

[Abstract 

The present invention relates to a] A control unit [ (1)], for 
controlling safety-critical applications [ (5)], 
[having] includes a microcomputer [ (MC) ] , a monitoring unit 
{ [CU, ] check unit), and peripheral circuits ([10, 
] input /output) [. T] , and in which, to [ further] improve the 
reliability of the error detection for such control units, and 
to expand the detection to additional error types, [a control 
unit (1) of the indicated type is proposed in accordance with 
the present invention, ] the monitoring unit [ (CU) 
having] includes a first [means] apparatus, arrangement or 
structure for measuring the quiescent current of the 
microcomputer [ (MC) ] / at least one quiescent current handshake 
line [ (IDDQ-HDSHK) ] for controlling the measurement of the 
quiescent current running between the first [means of the CU 
and the MC; the CU having second means] apparatus, arrangement 
or structure of the monitoring unit and the microcomputer; the 
monitoring unit including a second apparatus^ arrangement or 
structure for applying a test data input signal to the 
[MC] microcomputer , for processing the test data input signal, 
and for comparing the corresponding test data output signal of 
the [MC] microcomputer to the corresponding test data output 
signal of the [CU] monitoring unit; and at least one test data 
signal transmission line running between the second [means of 
the CU and the MC .] apparatus, arrangement or structure of the 
monitoring unit and the microcomputer. 



[ (Figure 2) ] 
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CONTROL UNIT FOR CONTROLLING SAFETY -CRITICAL APPLICATIONS 

The present invention relates to a control unit for 
controlling safety-critical applications, having a 
microcomputer (MC) , a monitoring unit (check unit, CU) , and 
peripheral circuits (input output, lO) . Furthermore, the 
present invention relates to a method for checking a 
microcomputer (MC) of a control unit for controlling 
safety-critical applications, the control unit having 
microcomputer (MC) , a monitoring unit (check unit, CU) , and 
peripheral circuits (input output, 10) . 

Background Information 

In control units that control or regulate applications or 
functions that are critical with regard to safety, errors of 
the microcomputer (MC) or of a processor of the microcomputer 
must be detected by monitoring. Such control units having 
safety tasks are used, for example, for ant i- lock braking 
systems, for traction control systems, and/or for electronic 
stability programs. The safety-critical applications 
controlled by the control unit are connected to the control 
unit via the peripheral circuits. In the case of 
single-computer control units, methods having a self-test, 
plausibility check, and watchdog are known. 

For testing CMOS chips (integrated circuits, IC) at the 
manufacturer, methods and measuring devices for measuring the 
quiescent current are used. The background of the so-called 
quiescent current test is that in a digital CMOS chip in 



purely static logic, almost the entire power loss during the 
switching operations occurs in its interior. In the rest 
state, the current flow is restricted to tiny leakage currents 
as well as to currents through pullup resistors or pulldown 
5 resistors at the inputs and through external loads at the 
output drivers. Many production-dependent errors lead to 
increased conductivity between the positive and negative 
supply voltage. Activating such defective regions (point 
defects) of the circuit causes the current consumption to 
10 increase abruptly. Such defects can be ascertained by a highly 
O exact measurement of the current consumption during the test 

a operation and a comparison to corresponding setpoint values. 

'7^ As already stated, such a quiescent current measurement is 

'^"^ used in the manufacture of CMOS chips to sort out the 

defective chips after the manufacturing process. 

It is known from the related art to also use the quiescent 

fll current test method known in the manufacture of computer 

i^X modules for control units of the species cited at the outset 

2 0 to test the computer modules during their normal operation in 

order to be able to detect the most frequent defects in the 
computer modules, in particular in the microcomputer (MC) , 
e.g. lock-up errors (stuck-at) , bridge errors (bridging), 
and/or interrupt errors (stuck-open) . 

25 

It is further known from the related art to provide two MCs, 
which reciprocally test one another by parallel computing 
and/or plausibility checks, to increase reliability in the 
case of control units of the species cited at the outset. 

3 0 However, cost considerations result in the suggestion of using 

only one MC for such control units. 

The object of the present invention is to develop and further 
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refine a control unit of the species cited at the outset to 
the effect that the reliability of the error detection is 
further improved, and the detection is expanded to additional 
types of errors . 

5 

To achieve this object, starting from a control unit of the 
species cited at the outset, the present invention proposes 
that the monitoring unit (CU) has first means for measuring 
the quiescent current of the microcomputer (MC) , that at least 
10 one handshake line for controlling the measurement of the 
fi quiescent current runs between the first means of the CU and 

the MC, that the CU has second means for applying a test data 
Mil input signal to the MC to process the test data input signal 

\J and compare the corresponding test data output signal of the 

Ss MC to the corresponding test data output signal of the CU, and 
f that at least one test data signal transmission line runs 

CJ between the second means of the CU and the MC. 

In accordance with the present invention, it was recognized 
20 that the reliability of the error detection can be increased 
by using two different test methods that supplement one 
another. In this manner, a significantly greater number of 
different error types of the computer modules of the MC can be 
detected. 

25 

The control unit according to the present invention can also 
have a plurality of MCs and a plurality of CUs . However, the 
following assumes that the control unit has one MC and one CU. 
The CU of the control unit according to the present invention 
3 0 has a first means for measuring the quiescent current of the 
MC. 

At least one handshake line for controlling the measurement of 
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the quiescent current runs between the first means of the CU 
and the MC. The handshake line can, for example, be designed 
as a bidirectional line. 

5 After the control unit is switched on, the quiescent current 
is measured for a set number (typically 8 to 16) of selected 
commands within the framework of a test program. For example, 
14 selected commands containing an internal machine cycle are 
processed for microcomputer TMS470. 

10 

^; To supplement the quiescent current measurement, the CU of the 
fjf control unit according to the present invention has a second 

means. At least one transmission line for test data signals 
i:^: runs between the second means of the CU and the MC. 

;H The second means apply a test data signal to the MC . The MC 

fij calculates a test data output signal, which is dependent upon 

=j: the test data input signal and the states inside the MC. 

'-'^'^ Defective states result in a changed test data output signal 

20 of the MC. 

In the second means of the CU, the test data input signal is 
also processed to form a test data output signal that is used 
as a reference signal for checking the test data output signal 

25 of the MC. "When calculating the test data output signal, the 
CU assumes an error-free, functioning MC. The completed 
calculation preferably has a very simple design. The 
microcomputer does not have a double design, and the same 
computation is not carried out by the CU as by the MC, as is 

30 the case for parallel computer systems. Rather, starting from 
the input data of a predefined test function, the MC 
calculates the output data whose results are checked by the CU 
using the reference signal calculated by it. The test function 
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used for calculating the output data typically has a very 
simple design. The calculation only requires minimal computing 
time. However, complex tests and results from the application 
programs can also be included in this test function. 

5 

Finally, the test data output signal of the CU is compared to 
the test data output signal of the MC. If they deviate from 
one another, or if the deviation exceeds a predetermined 
threshold value, the CU recognizes an error of the MC, The 
10 test result can be displayed by a display device and/or it can 
f3 be provided that upon occurrence of an error, provision is 
J5J made for the system controlled and/or regulated by the control 

^ unit to be switched off. 

jE5 According to an advantageous further refinement of the present 
f invention, it is proposed that the first means include an IDDQ 

C measuring circuit, a voltage supply, an IDDQ measuring run 

control (MAS) , and a control system of the CU, and that the 
connection between the first means and the MC includes two 
20 handshake lines that run from the IDDQ-MAS to the MC and at 
least one voltage supply line that runs from the voltage 
supply to the MC, at least one of the voltage supply lines 
running through {or across} the IDDQ measuring circuit. In 
semiconductors, IDD designates the positive supply current. 
25 IDDQ designates the quiescent current. The handshake lines 

are, for example, configured as START and END handshake lines 
for starting and acknowledging the completion of the 
functional test. 

3 0 The communication between the MC and the CU for measuring the 
quiescent current is carried out via the two handshake lines. 
The quiescent current of the MC is measured by the CU via the 
separate voltage supply lines. 

5 

I 



As stated, the present invention relates to a control unit 
having a monitoring unit for checking the microcomputer of the 
control unit . A voltage supply unit is provided for supplying 
voltage to the control unit and, as such, also to the 
5 microcomputer. The control unit of the CU includes means that 
can bring the MC into specific operating states. Furthermore, 
present in the IDDQ measuring circuit are measuring means that 
ascertain the current or voltage in the voltage supply circuit 
of the MC, whereupon the determined current or the determined 

10 voltage is compared in comparison means, also present in the 
IDDQ measuring circuit, to at least one predefined threshold 

^jy value . 

rj By simply measuring the current or voltage, a plurality of 

;if5 possible errors in the computer can be ascertained using the 
;s IDDQ measurement. In this context, the most frequent errors in 

fi the components of the MC can be substantially covered using a 

l^l minimum of test steps. Such errors can be lock-up errors 

£3 (stuck- at) , bridge errors (bridging) , and/or interrupt errors 

20 (stuck-open) . 

As a result of the combination of the quiescent current 
measurement and another suitable checking method, in 
particular including a check of the functionality of the MC 
25 based on test data records, errors are widely covered with 
respect to the significant errors in computer modules, in 
particular in CMOS processors, in a manner particularly 
advantageous for safety-critical applications. 

3 0 The abovementioned elimination of the second processor is 

largely retained as an economic advantage of the control unit 
according to the present invention, since the quiescent 
current measurement according to the present invention only 



requires a minimal hardware expenditure . 

By specially controlling the MC, the IDDQ-MAS brings 
predetermined components of the MC into a low-current state. 
5 The background of this control is that typically components 

are present in the MC that require a relatively high current. 
Since, as stated at the outset, the quiescent current 
measurement is generally based on fluctuations in the 
quiescent current within relatively small bandwidths, the high 

10 current consumption of the MC components interfere with the 
IDDQ measurement. In particular, it is provided that 

'^^i components to which the IDDQ measurement does not apply are 

fli brought into a low-current state. Such components can be the 

rj MC output stage and/or an input stage (e.g. analog/digital 

converter) as well as circuits for internally multiplying the 
clock pulse. In the simplest case, the components having high 

'f-r: current consumption are switched off during the test. Thus, 

internal circuit elements and circuit outputs that carry high 

O currents are switched off. Subsequently, the quiescent current 

2 0 can be measured. 

In addition to switching off the components of the MC having 
high current as mentioned above, it can also be f^rovided that 
the core of the MC is to be brought into a state of low 

2 5 current consumption. In the case of such MC modules configured 

specifically for the quiescent current measurement, a special 
operating state, a so-called IDDQ test mode, is provided. In 
this operating state, all currents inside of the computer are 
switched off, i.e., the current in the MC core is minimized. 

3 0 The IDDQ design is such that standard errors in the MC core 

become noticeable as an increase in the quiescent current. 
Thus, for example, short-circuit errors and/or stuck-at errors 
(short circuit to ground or the supply voltage) are 
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immediately manifested in an increase in the quiescent 
current. In this context, it is not necessary to pass on (to 
propagate) the effect of such an error to the outputs of the 
MC, The increased current consumption is the immediate error 
5 indicator. 

In addition to the IDDQ test mode described above, it can be 
provided that only the MC components having a high current are 
switched off, and, in response to a command, the MC enters a 
10 defined low-current state. In this context, the MC core does 
Pii not have to be specially configured for the IDDQ test mode. 

;|j This is called the power-down mode. 

%l The power-down mode is initiated by loading internal 

jfe components of the computer, such as the register and memory, 
^ with certain patterns, and by bringing the abovementioned 

Q computer components into a state of low current consumption, 

'^l by executing a certain computer command. If this state is 

;M achieved, a clock generator can be selectively switched off or 

20 disconnected. Subsequently, the quiescent current or a 

corresponding voltage value is measured and compared to a 

threshold value corresponding to the above-set operating state 
(power-down state) of the MC core . If certain errors are 

present in the computer (stuck-at errors, bridging errors, 
25 stuck-open errors) , the result is typically an increase in the 

quiescent current or in the voltage drop caused by the 

quiescent current , 

After such a test step, additional test steps can follow in 
3 0 that the power-down mode is first exited by applying certain 

signal levels to specific connections of the MC. By again 
starting or switching on the clock generator, the internal 
computer components, such as the register and the memory, are 
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loaded with additional patterns, and the abovementioned 
components are again brought into a low- current state, e.g. by 
executing a specific computer command (power-down command) . 
The above-described measurement of the quiescent current then 
5 follows- As a result of a plurality of such consecutively 

performed measurements of the power-down current, errors in 
the registers, memories, and components of the computer core 
are ascertained in an increasingly more complete manner. 

10 According to the computer type and design of the circuit, the 

individual test steps are ended by re -enabling the clock 
;:|5 generator, by triggering a reset, or by triggering an external 

S interrupt. After the last test step, the MC runs again in its 

normal operating mode (normal operation) . 

life 

In addition of the above-described quiescent current 
% measurement in the power-down mode, provision is also made in 

ly accordance with the present invention for the quiescent 

p current to be measured in the indicated IDDQ test mode, 

'20 provided the computer to be checked is suitably configured. 
The start of the IDDQ test mode is initiated by changing the 
signal level at a connection of the MC, for example. Also in 
this context, the register and memory are loaded with certain 
patterns prior to entering the IDDQ test mode. Upon entering 
2 5 the IDDQ test mode, the computer components having high 
current consumption are switched off. Furthermore, by 
discontinuing or decoupling the time pulse while executing a 
command, the computer core can be kept in a state typical for 
this command. These commands are selected in such a manner 
30 that they adjust the states of the internal circuit nodes of 
the computer core so that as many errors as possible can be 
detected via the quiescent current measurement. 
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The handshake for the quiescent current measurement is carried 
out in a number of steps: 

SI: The MC sets the START signal to HIGH. Consequently, the 
CU knows that an IDDQ measurement is beginning. 

S2 : The MC can selectively prepare to stop the time pulse 
(master clock, MCLK) , in that it sets a signal PREP to 
LOW via an internal command. 

S3 : The MC decodes the precisely defined instant within the 
next suitable command for the IDDQ test and also sets a 
signal DEKOD to LOW. Now the MCLK is set equal to LOW, 
and the digital component of the MC is set to static 
operation for the IDDQ measurement. 

S4 : The CU performs the IDDQ measurement . 

S5 : The CU outputs the level sequence LOW-HIGH-LOW at the 
signal END, thereby reactivating the MCLK. 

S6 : The MC becomes active again and confirms the end of the 
measurement by setting the START signal to LOW. The MC 
continues the program and prepares the next IDDQ 
measurement or ends the IDDQ measurement when all 
measurements have been carried out. 

Two voltage supply lines preferably run between the voltage 
supply and the MC, one voltage supply line running through the 
IDDQ measuring circuit. The quiescent current of the MC is 
measured via the voltage supply line that runs through the 
IDDQ measuring circuit . 

According to another advantageous further refinement of the 
control unit according to the present invention, it is 
proposed that the first means include an IDDQ measuring 
circuit, a voltage supply, an IDDQ measuring run control 
(MAS) , and a control system of the CU, and that the connection 
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between the first means and the MC includes four handshake 
lines that run from the IDDQ-MAS to the MC and at least one 
voltage supply line that runs from the voltage supply to the 
MC, at least one of the voltage supply lines running through 
5 the IDDQ measuring circuit. In the case of four handshake 
lines, a time-pulse (CLK) line and a line for a power-down 
(PWRDN) control can be provided for the MC in addition to the 
lines START, END in the case of two handshake lines. In this 
specific embodiment of the control unit, a shared voltage 
10 supply line to the processor is sufficient, the quiescent 

current being measured in the voltage supply line. The clock 
'Q generator is then stopped in the CU. The control of voltage 

m supply circuits for analog circuits and 10 circuits in the MC 

is carried out via the PWRDN line from the CU. As such, only 
yis the quiescent current of the digital component of the MC flows 
^ in the measuring case through the shared voltage supply line. 

Advantageously, the first means have an initialization 
Q circuit, which receives an initialization signal from the 

2 0 voltage supply after the control unit is switched on and 

subsequently transmits an enable signal to the IDDQ-MAS to 
enable the IDDQ measurement. The successful completion of the 
IDDQ measurement is signalized by an additional signal to the 
control system of the CU. Consequently, the CU advances the 
25 test run in that the initialization circuit enables the test 
data signal generator via an additional signal. 

According to an advantageous specific embodiment of the 
present invention, the second means include a test data signal 

3 0 generator for applying a test data input signal to the MC, a 

response generator for processing the test data input signal 
and for forming a corresponding test data output signal, a 
test data register for transmitting and receiving test data, 
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and a comparator for comparing the test data output signal of 
the MC to the test data output signal of the CU; and the 
connection between the second means and the MC includes at 
least one test data transmission line, which runs between the 
5 test data register and the MC. Advantageously, two test data 
transmission lines run between the test data register and the 
MC. 

The test data signal generator is also activated by the 
10 initialization circuit after the control unit is enabled- In 
ipi the test data signal generator, the test data for the MC are 

SI generated in a virtually random order by a feedback shift 

^& register. With the aid of the Reed-Muller codes, the bit 

Hi string for the test data output signal (the so-called 

;3j5 reference signal) is formed in the response generator, for 
f every test data input signal. This code is used to maintain a 

O distance that is as great as possible in the space of numbers 

fu of the test data output signals (hamming distance) . In the 

comparator, the theoretically calculated test data output 
2 0 signal from the response generator of the CU is then compared 

to the actual test data output signal of the MC from the test 

data register. 

The second means preferably have a trigger generator, which 
25 determines the instant at which the test data output signal of 
the MC is available at the comparator, in the case of an 
error-free MC . The trigger generator stipulates the instant of 
the comparison of the determined test data output signal of 
the MC and the actual response of the CU. As a result, it is 
30 ensure that the time slices in the MC proceed correctly. The 

comparator not only checks the test data output signal for the 
correct data value but also to determine whether the test data 
output signal is transmitted within a specific timing window. 



Advantageously, the second means have a error counter, which 
counts up or down, in the event that the test data output 
signal of the MC is not consistent with the test data output 
signal of the CU, and/or in the event that the test data 
5 output signal of the MC is available at the comparator at an 
instant that differs from the one determined by the trigger 
generator. By a counting pulse, the comparator causes the 
error counter to count up or down. If the value and instant of 
the test data output signal are correct, the error counter is 

10 decremented, for example. If the error counter falls below a 
predefined value, an external warning light, for example, is 
switched on or off via a signal interface, and a relay for 

'ff. manipulating the safety-critical application is enabled. 

Ills The manipulation of the application to be controlled is 

typically limited to discontinuing the application. In the 
i^^i; case of special applications, it can, however, be useful for 

fU the error counter to have a plurality of response thresholds, 

£3 exceeding the response threshold resulting in a different 

"20 reaction in each case. As a result, the application can be 

prevented from being immediately interrupted in the case of a 
singular disturbance, and the disabling path can be checked by 
the computer. 

25 If the MC responds to a test data input signal at the wrong 
instant or with an incorrect value, the same test data input 
signal is applied to the MC again until the instant and value 
of the test data output signal are correct. If this does not 
occur with a predefined time period, the CU switches off the 

3 0 control unit or the application, and it cannot be re-activated 
even by correct responses . 

The second means preferably have an initialization circuit, 
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which receives an initialization signal from the voltage 
source after the control unit is enabled, subsequently 
synchronizes the CU with the MC, and then activates the test 
data signal generator and the error counter. The CU is 
5 synchronized with the MC in that the CU waits for the first 
data transmission of the MC . 

An additional object of the present invention is to develop 
and further refine a method for checking a microcomputer of 
10 the species cited at the outset to the effect that the 

reliability of the error detection are further improved, and 
the detection is expanded to additional types of errors. 

To achieve this object, starting from the method of the 

it|j5 species cited at the outset, the present invention proposes 

'^'^ that the CU of the control unit measures the quiescent current 

J'" of the MC and applies a test data input signal to the MC, 

fU determines a first test data output signal, and compares a 

rh second test data output signal of the MC to the first test 

^20 data output signal of the CU. 

Advantageously, the quiescent current measurement is in the 
form of an IDDQ measurement. Preferably, the IDDQ measurement 
is carried out after the control unit is switched on after 
25 being enabled by an enable signal. 

According to an advantageous further refinement of the method 
according to the present invention, the second test data 
output signal of the MC is compared to the first test data 
3 0 output signal of the CU while the control unit is in 

operation. This has the advantage that the control unit does 
not have to be switched off to test the functionality of the 
microcomputer. Rather, MC computing power not used for 



controlling the application can be used to check the MC while 
the control unit is in operation. 

Preferably, a false test data output signal is transmitted one 
5 time at regular intervals to the CU while the control unit is 
in operation to check the functionality of the disabling path. 

An additional advantageous embodiment of the present invention 

start from the assumption that a clock generator is stopped by 
10 the MC during the IDDQ measurement and/or while the second 

test data output signal of the MC is being compared to the 
^4 first test data output signal of the CU. The clock generator 

ift is provided in the control system of the CU. The internal 

computer operations in particular are controlled as a function 
Ills of the output signal of this clock generator. In the described 

IDDQ test mode, it is provided that this clock generator is 

switched off or disabled or disconnected from the MC. This can 
H'l^ also be carried out in the power-down mode when a particularly 

fj low quiescent current is to be achieved. The clock generator 

"20 is switched off or disabled or disconnected especially at the 

start of every quiescent current measurement . 

Preferably, the test data input signal of the CU is generated 
by a test data signal generator, via a feedback shift 
25 register. Preferably, the test data output signal of the CU is 
generated by a response generator, with the aid of the 
Reed-Muller code. 

The control unit according to the present invention can be 
30 checked by two different test runs. A so-called start-up test 
is carried out immediately following the switching on of the 
control unit and prior to the operation of the control unit 
for controlling or regulating the safety-critical application . 
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After the start-up test, a so-called online test is carried 
out from time to time while the control unit is in operation. 

The start-up test is subdivided into two test segments, the 
5 so-called processor initialization segment (Proz-Init) and the 
subsequent so-called operating system initialization segment 
(BS-Init) . The processor initialization segment includes a 
command test and a core test, a RAM/ROM test, and an IDDQ 
test. The operating system initialization segment includes a 
10 start-up control and a test of the CU. In the start-up 
D control, different input values are tested on the control unit 

Jlj (e.g. a certain speed pattern of the wheels of a vehicle, as 

% can typically occur at the input of an ABS control unit of the 

yi vehicle) . The control unit carries out a regulation or control 

Q5 of the application based on the input values. The result of 

the simulated regulation or control is compared to 
J;:' corresponding setpoint values. When testing the CU, a 

III defective MC is simulated, and the reaction of the CU to the 

12 defect is checked. 

20 

The online test has a command test and a core test, a RAM/ROM 
test, a test of the CU, and a replication test. In the 
replication test, double memory spaces are provided for 
certain safety-critical variables, and certain safety-critical 

25 calculations are carried out twice. The contents of the double 
memory spaces and the results of the double calculations are 
compared to one another. The redundant storing and the 
redundant calculation are carried out by a processor of the 
control unit. Furthermore, the online test has a plausibility 

3 0 check in which control signals or regulation signals 

determined by the MC are checked for plausibility. In the case 
of an ABS control unit, one can, for example, check whether 
the speed, the acceleration, or the deceleration are within 
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certain limits. Moreover, the values of the individual wheels 
of the vehicle must be in a certain relation to one another, 
which can also be checked. Finally, the online test has 
another operating system test and a test of the remaining 
5 monitoring units of the control unit. 

A preferred exemplary embodiment of the present invention is 
explained in more detail in the light of the following 
drawings. The figures show: 

10 

p;^; Figure 1 shows a schematic overview of a block diagram of a 

2f "^"^ control unit according to the present invention; 

IB Figure^^ shows a detailed overview of a block diagram of the 

Cj control unit from Fig.l; 

|}|:5 Figure_3^ shows a circuit configuration for a quiescent 
^ current measurement including a two-wire handshake; 

g Figure 4 shows a timing diagram of the measuring run control 

for the quiescent current from Figure 3 . 

20 Figure 1 shows a schematic overview of a block diagram of a 
control unit according to the present invention. Reference 
numeral 1 designates the control unit according to the present 
invention in its entirety. Control unit 1 is used to control 
safety-critical applications, e.g. for anti-lock (braking) 

25 systems, for traction control systems, and/or for electronic 
stability programs. Control unit 1 has a microcomputer MC, a 
monitoring unit (CU, check unit) , and peripheral circuits (lO, 
input/output) . Microcomputer MC, monitoring unit CU, and 
peripheral circuits IC are connected in series via a serial 

3 0 synchronous databus 2. Via its data output line MC_Dout, 

microcomputer MC transmits the data output signals through 
databus 2 to the bus users and simultaneously receives the 
data input signals via its data input line MC_Din. Using the 



signal SAM (sample) , the bus users store the data received in 
their storage registers. 

There are additional connecting lines between microcomputer MC 
5 and monitoring unit CU, namely a shared supply line VDD or 

alternatively, a plurality of supply lines VDD for a digital 
and analog supply of microcomputer MC. Finally, IDDQ handshake 
line IDDQ-HDSHK, which are used for controlling the quiescent 
current measurement (IDDQ measurement) of microcomputer MC, 
10 run between microcomputer MC and monitoring unit CU. So-called 

disabling paths 3 lead from monitoring unit CU to external 
^^■f warning lamps and/or relays to manipulate the safety-critical 

Sft applications to be controlled, depending on whether monitoring 

:,p unit CU detects an error of microcomputer MC. Peripheral 

Ms circuits 10 have connecting lines 4 to safety-critical 
O application 5 to be controlled. 



1^;:; After control unit 1 is switched on, the quiescent current is 

J:Jf measured to check the functionality of microcomputer MC . While 

1^0 control unit 1 is in operation, the functionality of 

microcomputer MC is checked in that it regularly receives test 
data records, and the corresponding second test data output 
signal of the MC is compared to an error- free first test data 
output signal calculated by monitoring unit CU. 

25 

Figure 2 shows a detailed overview of a block diagram of the 
control unit 1 from Figure 1. Monitoring unit CU includes a 
control system 6 of monitoring unit CU, a measuring run 
control 7 for the IDDQ measurement, an IDDQ measuring circuit 
3 0 8, and a voltage supply 9, Control system 6 of monitoring unit 
CU includes a test data signal generator 10, a response 
generator 11, and a comparator 12. With the aid of test data 
signal generator 10, a test data input signal is applied to 
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microcomputer MC, and the microcomputer determines a second 
test data output signal as a function of the test data input 
signal and its own internal states. Response generator 11 
processes the same test data input signal and forms a 
5 corresponding first test data output signal. In comparator 12, 
the first test data output signal of monitoring unit CU is 
compared to the second test data output signal of 
microcomputer MC , A trigger generator 13 determines the 
instant at which the second test data output signal of 
10 microcomputer MC is available at comparator 12^ given an 
error- free, functioning microcomputer MC. 



'^f^ Control system 6 of monitoring unit CU further has a error 

counter 14, which counts an error, in the event that the 

!yp5 second test data output signal of microcomputer MC is not 
consistent with the first test data output signal of 
monitoring unit CU, and/or in the event that the second test 

fIJ data output signal of microcomputer MC is available at 

□ comparator 12 at a different instant than the one determined 

""5o by trigger generator 13. 

Furthermore, control system 6 of monitoring unit CU has a test 
data register 17, which is used for transmitting and receiving 
test data. 

25 

Finally, control system 6 of monitoring unit CU also has an 
initialization circuit 15, which receives an initialization 
signal RST from voltage supply 9 after control unit 1 is 
switched on and subsequently synchronizes monitoring unit CU 
3 0 with microcomputer MC in that the monitoring unit waits for 

the first data transmission of the MC . Initialization circuit 
15 subsequently activates test data signal generator 10 and 
error counter 14 . 
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In test data signal generator 10, the test data input signals 
for microcomputer MC are generated in a virtually random order 
by a feedback shift register. With the aid of the Reed-Muller 
codes, the bit string for the corresponding first test data 
5 output signal is formed in response generator 11, for every 
test data input signal. This code is used to maintain a 
distance that is as great as possible in the space of numbers 
of the test data output signals (hamming distance) In 
comparator 12, the first test data output signal determined in 
10 response generator 11 is then compared to the actual second 
test data output signal of microcomputer MC. 

ifi; The instant of the comparison is specified by trigger 

fi generator 13 , This ensures that the time slices in 

ills microcomputer MC proceed correctly. Comparator 12 not only 

checks the second test data output signal of the MC for the 
JI;^ correct data value but also to determine whether the test data 

RJ output signal is transmitted within a specific timing window, 

ip If the value and instant of the second test data output signal 

^"20 of the MC are correct, error counter 14 is decremented, and 

the safety-critical application to be controlled is kept in an 
active state via a signal interface 16 in that external 
warning lights are switched off and the relays for triggering 
application 5 are activated. 

25 

In every cycle following this first cycle, the instant and 
value of the second test data output signal of the MC must be 
correct to prevent error counter 14 from responding 
immediately Error counter 14 has a plurality of response 
3 0 thresholds to prevent control unit 1 or application 5 from 

being switched off in the case of a singular disturbance and 
to enable microcomputer MC to check the disabling path. The 
first step blocks the valve output stages via signal EN and 



switches off the voltage supply of the valves via valve relay 
VRA. The display of the warning lights SILA is delayed by one 
cycle, so that there is no display when testing the disabling 
path . 

5 

If a test data input signal is responded to at the wrong 
instant or with an incorrect value, the same test data input 
signal is applied again to microcomputer MC until the instant 
and value are correct. If this does not occur within a 

10 predefined time period, monitoring unit CU switches off the 
control unit 1, and it can no longer be activated even by 

y:| correct responses . 

After control unit 1 is switched on, the quiescent current is 
lis measured for a set number (typically 8 to 16) of selected 

instants of a test program. The communication between 
j;'"' microcomputer MC and monitoring unit CU for measuring the 

fll quiescent current is carried out via the two handshake lines 

Q START and END. While the quiescent current is being measured, 

'^"'2 0 microcomputer MC stops clock generator CLK. Between monitoring 
unit CU and microcomputer MC are two separate voltage supply 
lines, VDD_digital for supplying the digital component of 
microcomputer MC and VDD_analog for supplying the analog 
component of microcomputer MC. The quiescent current is 
25 measured in voltage supply line VDD__digital . 

The quiescent current measurement is enabled after the voltage 
supply is switched on via signal IDDQ_EN of control system 6 
of monitoring unit CU. The successful completion of the 
3 0 quiescent current measurement is signalized to control system 
6 of monitoring unit CU by signal IDDQ__FIN. Consequently, 
monitoring unit CU advances the test run in that 
initialization circuit 15 enables test data signal generator 



10 via a signal IDDQ_OK. 

Figure 3 shows a circuit configuration for measuring the 

quiescent current including a two-wire handshake. Figure 4 
5 shows the timing diagram of measuring run control 7 for the 

quiescent current measurement from Figure 3 . After control 

unit 1 is switched on, microcomputer MC starts its self -test. 

Part of this self -test is the quiescent current measurement. 

If the functional sequence in microcomputer MC reaches the 
10 quiescent current test, the START signal is activated. At 

instant Tl, the quiescent current measurement is activated by 
41 signal_Act. The output of comparator 12 for the quiescent 

:fi current measurement is evaluated after time T2 . If the value 

is acceptable, microcomputer MC is activated again by the END 
Ills signal. If the value is outside of a limiting value, the 

measurement is repeated. The number of repetitions is preset. 

If repeating the measurement also does not produce a correct 
W response, the measurement is discontinued, and monitoring unit 

p CU does not switch on microcomputer MC but remains in a 

■^20 fail-safe mode. When all quiescent current measurements are 

completed, signal IDDQ_FIN is set to HIGH. Consequently, 

control system 6 of monitoring unit CU resets signal IDDQ_EN 

from HIGH to LOW. 
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what is claimed is: 



1. A control unit (1) for controlling safety-critical 
applications (5) , having a microcomputer (MC) , a monitoring 
unit (check unit, CU) , and peripheral circuits (input output, 
10) f wherein the monitoring unit (CU) has first means for 
measuring the quiescent current of the microcomputer (MC) ; at 
least one quiescent current handshake line (IDDQ-HDSHK) for 
controlling the measurement of the quiescent current runs 
between the first means of the CU and the MC; the CU has 
second means for applying a test data input signal for 
processing the test data output signal and for comparing the 
corresponding test data output signal of the MC to the 
corresponding test data output signal of the CU; and at least 
one test data signal transmission line runs between the second 
means of the CU and the MC . 

2. The control unit (1) as recited in Claim 1, wherein the 
first means includes an IDDQ measuring circuit (8) , a voltage 
supply (9) / an IDDQ measuring run control (MAS) (7) , and a 
control system (6) of the CU; and the connection between the 
first means and the MC includes two handshake lines (START, 
END) , which run from the IDDQ-MAS to the MC, and at least one 
voltage supply line (VDD) , which runs from the voltage supply 
(9) to the MC, at least one of the voltage supply lines (VDD) 
running through IDDQ measuring circuit (8) . 

3. The control unit (1) as recited in Claim 2, wherein two 
voltage supply lines ( VDD__analog, VDD_digital) run between the 
voltage source (9) and the MC, one voltage supply line 
(VDD_digital) running through the IDDQ measuring circuit (8) . 

4. The control unit (1) as recited in Claim 1, wherein the 
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first means includes an IDDQ measuring circuit (8), a voltage 
supply (9) , an IDDQ measuring run control (MAS) (7) , and a 
control system (6) of the CU; and the connection between the 
first means and the MC includes four handshake lines {START, 
END, CLK, PWR__DN) , which run from the IDDQ-MAS (7) to the MC, 
and at least one voltage supply line (VDD) , which runs from 
the voltage supply (9) to the MC, at least one of the voltage 
supply lines (VDD) running through IDDQ measuring circuit (8) 

5. The control unit (1) as recited in one of Claims 2 through 

4, wherein the first means have an initialization circuit 
(15) f which, after the control unit (1) is switched on, 
receives an initialization signal (RST) from the voltage 
source (9) and subsequently transmits an enable signal 
(IDDQ__EN) to the IDDQ-MAS (7) to enable the IDDQ measurement. 

6. The control unit (1) as recited in one of Claims 1 through 

5, wherein the second means include a test data signal 
generator (10) for applying a test data input signal to the 
MC, a response generator (11) for processing the test data 
input signal and for forming a corresponding test data output 
signal, a test data register (17) for transmitting and 
receiving the test data, and a comparator (12) for comparing 
the test data output signal of the MC to the test data output 
signal of the CU; and the connection between the second means 
and the MC includes at least one test data transmission line, 
which runs between the test data register (17) and the MC. 

7. The control unit (1) as recited in Claim 6, wherein the 
connection between the second means and the MC includes two 
test data transmission lines (CU__Dout, CU_Din) . 

8. The control unit (1) as recited in Claim 6 or 7, wherein 
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the second means have a trigger generator (13) , which 
determines the instant at which the test data output signal of 
the MC is available at the comparator (12) , given an 
error-free MC . 

9. The control unit (1) as recited in one of Claims 6 through 
8, wherein the second means have an error counter (14), which 
counts an error, in the event that the test data output signal 
of the MC is not consistent with the test data output signal 
of the CU, and/or in the event that the test data output 
signal of the MC is available at the comparator (12) at a 
different instant that the one determined by the trigger 
generator (13) . 

10. The control unit (1) as recited in Claim 9, wherein the 
error counter (14) has a plurality of response thresholds, 
exceeding the response threshold resulting in a different 
reaction in each case, 

11. The control unit (1) as recited in one of Claims 6 through 
10, wherein the first means have an initialization circuit 
(15) , which receives an initialization signal (RST) from the 
voltage source (9) after the control unit (1) is switched on, 
subsequently synchronizes the CU with the MC, and then 
activates the test data signal generator (10) and the error 
counter (14) . 

12. A method for testing a microcomputer (MC) of a control 
unit (1) for controlling safety-critical applications, the 
control unit having the microcomputer (MC) , a monitoring unit 
(check unit, CU) , and peripheral circuits (input output, lO) , 
wherein the quiescent current of the MC is measured, a test 
data input signal is applied to the MC, a first test data 
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output signal is determined, and a second test data output 
signal of the MC is compared to the first test data output 
signal of the CU. 

13. The method as recited in Claim 12, wherein the quiescent 
current measurement is in the form of an IDDQ measurement. 

14. The method as recited in Claim 13, wherein the IDDQ 
measurement is carried out after the control unit (1) is 
switched on after being enabled by an enable signal {IDDQ_EN) . 

15. The method as recited in Claim 13 or 14, wherein the 
second test data output signal of the MC is compared to the 
first test data output signal of the CU while the control unit 
(1) is in operation. 

16. The method as recited in one of Claims 13 through 15, 
wherein clock generator (clock, CLK) is stopped by the MC 
during the IDDQ measurement and/or while the second test data 
output signal of the MC is being compared to the first test 
data output signal of the CU. 

17. The method as recited in one of Claims 13 through 16, 
wherein the test data input signal of the CU is generated by a 
test data signal generator (10) , via a feedback shift 
register . 

18. The method as recited in Claim 17, wherein the test data 
output signal of the CU is generated by a response generator 
(11), with the aid of the Reed-Muller code. 
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[10191/1923] 

DECLARATION AND POWER OF ATTORNEY 

As a below named inventor, I hereby declare that: 

My residence, post office address and citizenship 
are as stated below next to my name. 

I believe I am the original, first and sole inventor 
{if only one name is listed below) or an original, first and 
joint inventor {if plural names are listed below) of the 
subject matter which is claimed and for which a patent is 
sought on the invention entitled CONTROL UNIT FOR CONTROLLING 
SAFETY- CRITICAL APPLICATIONS, the specification of which was 
filed as International Application PCT/DEOO/00157 on January 
18, 2000; 

I hereby state that I have reviewed and understand 
the contents of the above- identified specification, including 
the claims. 

I acknowledge the duty to disclose information which 
is material to the examination of this application in 
accordance with Title 37, Code of Federal Regulations, 
§ 1.56 (a) . 

I hereby claim foreign priority benefits under Title 
35, United States Code, § 119 of any foreign application (s) 
for patent or inventor's certificate listed below and have 
also identified below any foreign application (s) for patent or 
inventor's certificate having a filing date before that of the 
application on which priority is claimed: 



PRIOR FOREIGN APPLICATION (S) 

Number Country Day/month/year Priority Claimed 

filed Under 35 USC 119 

Fed. Rep. 

199 02 031.0 of Germany 20 January 1999 Yes 



And I hereby appoint Richard L. Mayer (Reg. No. 
22,4 90) and Gerard A. Messina (Reg. No ._35^j^^952) ray attorneys 

with full power of substitution and revocation, to prosecute 
this application and to transact all business in the Patent 
and Trademark Office connected therewith. 

Please address all communications regarding this 
application to: 

^NYON _ & KENY ON 

Qne_B3x>.,^dway 
New-^.¥orJs:.,„_Jle3ALJ^Qrlc„l^ 4 
CUSTOMER NO. 26646 



Please direct all telephone calls to Richard L. 
Mayer at (212) 425-7200. 

I hereby declare that all statements made herein of 
my own knowledge are true and that all statements made on 
information and belief are believed to be true; and further 
that these statements were made with the knowledge that 
willful false statements and the like so made are punishable 
by fine or imprisonment, or both, under Section 1001 of Title 
18 of the United States Code and that such willful and false 
statements may jeopardize the validity of the application or 
any patent issued thereon. 
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